diff --git a/modules-minimum.conf b/modules-minimum.conf
index d1bb917..d3b08ab 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1274,14 +1274,6 @@ publicfile = module
 pulseaudio = module
 
 # Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-# 
-pyzor = module
-
-
-# Layer: services
 # Module: qmail
 #
 # Policy for qmail
@@ -1323,13 +1315,6 @@ radius = module
 # 
 radvd = module
 
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-# 
-razor = module
-
 # Layer: admin
 # Module: readahead
 #
diff --git a/modules-mls.conf b/modules-mls.conf
index b99b28a..d2bbca4 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1191,13 +1191,6 @@ publicfile = module
 pulseaudio = module
 
 # Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-# 
-pyzor = module
-
-# Layer: services
 # Module: qmail
 #
 # Policy for qmail
@@ -1239,13 +1232,6 @@ radius = module
 # 
 radvd = module
 
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-# 
-razor = module
-
 # Layer: admin
 # Module: readahead
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index d1bb917..d3b08ab 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1274,14 +1274,6 @@ publicfile = module
 pulseaudio = module
 
 # Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-# 
-pyzor = module
-
-
-# Layer: services
 # Module: qmail
 #
 # Policy for qmail
@@ -1323,13 +1315,6 @@ radius = module
 # 
 radvd = module
 
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-# 
-razor = module
-
 # Layer: admin
 # Module: readahead
 #
diff --git a/policy-F14.patch b/policy-F14.patch
index 5eefd78..bb9a0b2 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1,6 +1,6 @@
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/Makefile
 --- nsaserefpolicy/Makefile	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/Makefile	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/Makefile	2010-07-30 14:06:53.000000000 -0400
 @@ -244,7 +244,7 @@
  appdir := $(contextpath)
  user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -12,7 +12,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/M
  all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 serefpolicy-3.8.8/man/man8/git_selinux.8
 --- nsaserefpolicy/man/man8/git_selinux.8	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/man/man8/git_selinux.8	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/man/man8/git_selinux.8	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,109 @@
 +.TH  "git_selinux"  "8"  "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
 +.de EX
@@ -125,7 +125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 seref
 +selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpolicy-3.8.8/policy/constraints
 --- nsaserefpolicy/policy/constraints	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.8.8/policy/constraints	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/constraints	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,3 @@
 -
  #
@@ -199,7 +199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpoli
  undefine(`basic_ubac_conditions')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.8.8/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/global_tunables	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/global_tunables	2010-07-30 14:06:53.000000000 -0400
 @@ -61,15 +61,6 @@
  
  ## <desc>
@@ -237,7 +237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.8.8/policy/mcs
 --- nsaserefpolicy/policy/mcs	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.8.8/policy/mcs	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/mcs	2010-07-30 14:06:53.000000000 -0400
 @@ -86,10 +86,10 @@
  	(( h1 dom h2 ) and ( l2 eq h2 ));
  
@@ -253,14 +253,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.8.8
  mlsconstrain process { transition dyntransition }
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.8.8/policy/modules/admin/accountsd.fc
 --- nsaserefpolicy/policy/modules/admin/accountsd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,3 @@
 +/usr/libexec/accounts-daemon		--	gen_context(system_u:object_r:accountsd_exec_t,s0)
 +
 +/var/lib/AccountsService(/.*)?			gen_context(system_u:object_r:accountsd_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.if serefpolicy-3.8.8/policy/modules/admin/accountsd.if
 --- nsaserefpolicy/policy/modules/admin/accountsd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,173 @@
 +## <summary>Accountsservice D-Bus interfaces for querying and manipulating user account information.</summary>
 +
@@ -437,7 +437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.8/policy/modules/admin/accountsd.te
 --- nsaserefpolicy/policy/modules/admin/accountsd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,64 @@
 +policy_module(accountsd, 1.0.0)
 +
@@ -505,7 +505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.if serefpolicy-3.8.8/policy/modules/admin/acct.if
 --- nsaserefpolicy/policy/modules/admin/acct.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/acct.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/acct.if	2010-07-30 14:06:53.000000000 -0400
 @@ -25,7 +25,7 @@
  ## </summary>
  ## <param name="domain">
@@ -535,7 +535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.if
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.8.8/policy/modules/admin/alsa.fc
 --- nsaserefpolicy/policy/modules/admin/alsa.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,18 +1,20 @@
 -/bin/alsaunmute		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 +HOME_DIR/\.asoundrc			--	gen_context(system_u:object_r:alsa_home_t,s0)
@@ -570,7 +570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 +/var/lib/alsa(/.*)?				gen_context(system_u:object_r:alsa_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if
 --- nsaserefpolicy/policy/modules/admin/alsa.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.if	2010-07-30 14:06:53.000000000 -0400
 @@ -1,8 +1,9 @@
 -## <summary>Ainit ALSA configuration tool</summary>
 +## <summary>Advanced Linux Sound Architecture.</summary>
@@ -682,7 +682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/alsa.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/alsa.te	2010-07-30 14:06:53.000000000 -0400
 @@ -16,6 +16,9 @@
  type alsa_var_lib_t;
  files_type(alsa_var_lib_t)
@@ -704,7 +704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
  files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.8.8/policy/modules/admin/amanda.if
 --- nsaserefpolicy/policy/modules/admin/amanda.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/amanda.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/amanda.if	2010-07-30 14:06:53.000000000 -0400
 @@ -1,12 +1,13 @@
 -## <summary>Automated backup program.</summary>
 +## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
@@ -869,7 +869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.8.8/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/anaconda.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/anaconda.te	2010-07-30 14:06:53.000000000 -0400
 @@ -28,8 +28,10 @@
  logging_send_syslog_msg(anaconda_t)
  
@@ -892,7 +892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/apt.if serefpolicy-3.8.8/policy/modules/admin/apt.if
 --- nsaserefpolicy/policy/modules/admin/apt.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/apt.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/apt.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -967,7 +967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/apt.if 
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/backup.if serefpolicy-3.8.8/policy/modules/admin/backup.if
 --- nsaserefpolicy/policy/modules/admin/backup.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/backup.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/backup.if	2010-07-30 14:06:53.000000000 -0400
 @@ -25,7 +25,7 @@
  ## </summary>
  ## <param name="domain">
@@ -979,7 +979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/backup.
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.8.8/policy/modules/admin/bootloader.if
 --- nsaserefpolicy/policy/modules/admin/bootloader.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/bootloader.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/bootloader.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1034,9 +1034,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
  ##	</summary>
  ## </param>
  #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.8.8/policy/modules/admin/brctl.if
+--- nsaserefpolicy/policy/modules/admin/brctl.if	2010-07-27 16:06:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/brctl.if	2010-08-10 05:23:35.000000000 -0400
+@@ -17,3 +17,22 @@
+ 
+ 	domtrans_pattern($1, brctl_exec_t, brctl_t)
+ ')
++
++#####################################
++## <summary>
++##      Execute brctl in the brctl domain.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`brctl_run',`
++        gen_require(`
++                type brctl_t, brctl_exec_t;
++        ')
++
++        brctl_domtrans($1)
++        role $2 types brctl_t;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.8.8/policy/modules/admin/certwatch.if
 --- nsaserefpolicy/policy/modules/admin/certwatch.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/certwatch.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/certwatch.if	2010-07-30 14:06:53.000000000 -0400
 @@ -29,7 +29,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1057,7 +1083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.8.8/policy/modules/admin/certwatch.te
 --- nsaserefpolicy/policy/modules/admin/certwatch.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/certwatch.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/certwatch.te	2010-07-30 14:06:53.000000000 -0400
 @@ -35,7 +35,7 @@
  miscfiles_read_localization(certwatch_t)
  
@@ -1077,7 +1103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.8.8/policy/modules/admin/consoletype.if
 --- nsaserefpolicy/policy/modules/admin/consoletype.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/consoletype.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/consoletype.if	2010-07-30 14:06:53.000000000 -0400
 @@ -8,7 +8,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1107,7 +1133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
  ## <rolecap/>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.8.8/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/consoletype.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/consoletype.te	2010-07-30 14:06:53.000000000 -0400
 @@ -85,6 +85,7 @@
  	hal_dontaudit_rw_pipes(consoletype_t)
  	hal_dontaudit_rw_dgram_sockets(consoletype_t)
@@ -1118,7 +1144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ddcprobe.if serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if
 --- nsaserefpolicy/policy/modules/admin/ddcprobe.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1139,7 +1165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ddcprob
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.if serefpolicy-3.8.8/policy/modules/admin/dmesg.if
 --- nsaserefpolicy/policy/modules/admin/dmesg.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dmesg.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dmesg.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1160,7 +1186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.i
  ## <rolecap/>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.8.8/policy/modules/admin/dmesg.te
 --- nsaserefpolicy/policy/modules/admin/dmesg.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dmesg.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dmesg.te	2010-07-30 14:06:53.000000000 -0400
 @@ -50,6 +50,12 @@
  userdom_use_user_terminals(dmesg_t)
  
@@ -1176,7 +1202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.if serefpolicy-3.8.8/policy/modules/admin/dmidecode.if
 --- nsaserefpolicy/policy/modules/admin/dmidecode.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dmidecode.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dmidecode.if	2010-07-30 14:06:53.000000000 -0400
 @@ -30,7 +30,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1188,7 +1214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmideco
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dpkg.if serefpolicy-3.8.8/policy/modules/admin/dpkg.if
 --- nsaserefpolicy/policy/modules/admin/dpkg.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/dpkg.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/dpkg.if	2010-07-30 14:06:53.000000000 -0400
 @@ -8,7 +8,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1272,7 +1298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dpkg.if
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.8.8/policy/modules/admin/firstboot.if
 --- nsaserefpolicy/policy/modules/admin/firstboot.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/firstboot.if	2010-07-30 14:06:53.000000000 -0400
 @@ -9,7 +9,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1320,7 +1346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.8.8/policy/modules/admin/firstboot.te
 --- nsaserefpolicy/policy/modules/admin/firstboot.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te	2010-07-30 14:06:53.000000000 -0400
 @@ -121,6 +121,7 @@
  ')
  
@@ -1331,7 +1357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.if serefpolicy-3.8.8/policy/modules/admin/kudzu.if
 --- nsaserefpolicy/policy/modules/admin/kudzu.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/kudzu.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/kudzu.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1361,7 +1387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.i
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.if serefpolicy-3.8.8/policy/modules/admin/logrotate.if
 --- nsaserefpolicy/policy/modules/admin/logrotate.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logrotate.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logrotate.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1391,7 +1417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.8.8/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logrotate.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logrotate.te	2010-07-30 14:06:53.000000000 -0400
 @@ -119,6 +119,7 @@
  userdom_use_user_terminals(logrotate_t)
  userdom_list_user_home_dirs(logrotate_t)
@@ -1411,7 +1437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.8.8/policy/modules/admin/logwatch.fc
 --- nsaserefpolicy/policy/modules/admin/logwatch.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,7 +1,11 @@
  /usr/sbin/logcheck	--	gen_context(system_u:object_r:logwatch_exec_t,s0)
 +/usr/sbin/epylog	--	gen_context(system_u:object_r:logwatch_exec_t,s0)
@@ -1426,7 +1452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
 +/var/run/epylog\.pid		gen_context(system_u:object_r:logwatch_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te	2010-07-30 14:06:53.000000000 -0400
 @@ -19,6 +19,9 @@
  type logwatch_tmp_t;
  files_tmp_file(logwatch_tmp_t)
@@ -1447,7 +1473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  kernel_read_fs_sysctls(logwatch_t)
  kernel_read_kernel_sysctls(logwatch_t)
  kernel_read_system_state(logwatch_t)
-@@ -92,8 +98,14 @@
+@@ -92,8 +98,15 @@
  sysnet_exec_ifconfig(logwatch_t)
  
  userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1460,12 +1486,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
 +role system_r types logwatch_mail_t;
 +logging_read_all_logs(logwatch_mail_t)
 +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
++allow logwatch_mail_t self:capability { dac_read_search dac_override };
  
  ifdef(`distro_redhat',`
  	files_search_all(logwatch_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.8.8/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/mrtg.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/mrtg.te	2010-07-30 14:06:53.000000000 -0400
 @@ -115,6 +115,7 @@
  userdom_use_user_terminals(mrtg_t)
  userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -1476,14 +1503,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.8.8/policy/modules/admin/ncftool.fc
 --- nsaserefpolicy/policy/modules/admin/ncftool.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/bin/ncftool		--	gen_context(system_u:object_r:ncftool_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.8.8/policy/modules/admin/ncftool.if
 --- nsaserefpolicy/policy/modules/admin/ncftool.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,74 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if	2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,78 @@
 +
 +## <summary>policy for ncftool</summary>
 +
@@ -1528,6 +1555,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +
 +	ncftool_domtrans($1)
 +	role $2 types ncftool_t;
++
++	optional_policy(`
++        	brctl_run(ncftool_t, $2)
++	')
 +')
 +
 +########################################
@@ -1560,8 +1591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te
 --- nsaserefpolicy/policy/modules/admin/ncftool.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,79 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te	2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,87 @@
 +policy_module(ncftool, 1.0.0)
 +
 +########################################
@@ -1607,6 +1638,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +
 +dev_read_sysfs(ncftool_t)
 +
++files_manage_system_conf_files(ncftool_t)
++files_relabelto_system_conf_files(ncftool_t)
 +files_read_etc_files(ncftool_t)
 +files_read_etc_runtime_files(ncftool_t)
 +files_read_usr_files(ncftool_t)
@@ -1627,23 +1660,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +sysnet_read_dhcpc_state(ncftool_t)
 +sysnet_relabelfrom_net_conf(ncftool_t)
 +sysnet_relabelto_net_conf(ncftool_t)
++sysnet_read_dhcpc_pid(ncftool_t)
++sysnet_signal_dhcpc(ncftool_t)
 +
 +userdom_read_user_tmp_files(ncftool_t)
 +
 +optional_policy(`
-+	brctl_domtrans(ncftool_t)
++	consoletype_exec(ncftool_t)
 +')
 +
 +optional_policy(`
-+	consoletype_exec(ncftool_t)
++        dbus_system_bus_client(ncftool_t)
 +')
 +
 +optional_policy(`
-+        dbus_system_bus_client(ncftool_t)
++	iptables_initrc_domtrans(ncftool_t)
++')
++
++optional_policy(`
++	iptables_initrc_domtrans(ncftool_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/netutils.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/netutils.te	2010-07-30 14:06:53.000000000 -0400
 @@ -51,6 +51,8 @@
  
  kernel_search_proc(netutils_t)
@@ -1728,7 +1767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te	2010-08-10 07:29:36.000000000 -0400
 @@ -59,6 +59,7 @@
  manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1745,7 +1784,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  
  files_list_all(prelink_t)
  files_getattr_all_files(prelink_t)
-@@ -99,6 +101,8 @@
+@@ -86,6 +88,8 @@
+ 
+ fs_getattr_xattr_fs(prelink_t)
+ 
++storage_getattr_fixed_disk_dev(prelink_t)
++
+ selinux_get_enforce_mode(prelink_t)
+ 
+ libs_exec_ld_so(prelink_t)
+@@ -99,6 +103,8 @@
  miscfiles_read_localization(prelink_t)
  
  userdom_use_user_terminals(prelink_t)
@@ -1754,7 +1802,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  
  optional_policy(`
  	amanda_manage_lib(prelink_t)
-@@ -129,6 +133,7 @@
+@@ -109,6 +115,10 @@
+ ')
+ 
+ optional_policy(`
++	nsplugin_manage_rw_files(prelink_t)
++')
++
++optional_policy(`
+ 	rpm_manage_tmp_files(prelink_t)
+ ')
+ 
+@@ -129,6 +139,7 @@
  
  	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
  	allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1764,7 +1823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  	allow prelink_cron_system_t prelink_t:process noatsecure;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if
 --- nsaserefpolicy/policy/modules/admin/quota.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/quota.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/quota.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -1785,7 +1844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.i
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.8.8/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/readahead.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/readahead.te	2010-07-30 14:06:53.000000000 -0400
 @@ -51,6 +51,7 @@
  
  files_list_non_security(readahead_t)
@@ -1804,7 +1863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
  fs_dontaudit_read_ramfs_files(readahead_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.8.8/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc	2010-08-06 11:14:58.000000000 -0400
 @@ -7,6 +7,7 @@
  
  /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1823,9 +1882,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc 
  ')
  
  /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
+@@ -36,6 +40,8 @@
+ /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+ /var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+ 
++/var/spool/up2date(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
+ /var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
+ /var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.8/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/rpm.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/rpm.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,18 +6,21 @@
  ## </summary>
  ## <param name="domain">
@@ -2081,7 +2149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.8/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/rpm.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/rpm.te	2010-08-04 16:24:06.000000000 -0400
 @@ -1,10 +1,11 @@
  policy_module(rpm, 1.11.1)
  
@@ -2225,7 +2293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  		java_domtrans_unconfined(rpm_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectoolm.te serefpolicy-3.8.8/policy/modules/admin/sectoolm.te
 --- nsaserefpolicy/policy/modules/admin/sectoolm.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/sectoolm.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/sectoolm.te	2010-07-30 14:06:53.000000000 -0400
 @@ -84,6 +84,7 @@
  sysnet_domtrans_ifconfig(sectoolm_t)
  
@@ -2236,7 +2304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool
  	mount_exec(sectoolm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.8.8/policy/modules/admin/shorewall.if
 --- nsaserefpolicy/policy/modules/admin/shorewall.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if	2010-07-30 14:06:53.000000000 -0400
 @@ -134,9 +134,10 @@
  #
  interface(`shorewall_admin',`
@@ -2268,7 +2336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.8/policy/modules/admin/shorewall.te
 --- nsaserefpolicy/policy/modules/admin/shorewall.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te	2010-07-30 14:06:53.000000000 -0400
 @@ -80,13 +80,14 @@
  
  init_rw_utmp(shorewall_t)
@@ -2287,7 +2355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
  	hostname_exec(shorewall_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.8.8/policy/modules/admin/shutdown.fc
 --- nsaserefpolicy/policy/modules/admin/shutdown.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -3,3 +3,5 @@
  /sbin/shutdown		--	gen_context(system_u:object_r:shutdown_exec_t,s0)
  
@@ -2296,7 +2364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +/lib/upstart/shutdown 	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.8.8/policy/modules/admin/shutdown.if
 --- nsaserefpolicy/policy/modules/admin/shutdown.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if	2010-07-30 14:06:53.000000000 -0400
 @@ -19,10 +19,11 @@
  
  	ifdef(`hide_broken_symptoms', `
@@ -2386,7 +2454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.8.8/policy/modules/admin/shutdown.te
 --- nsaserefpolicy/policy/modules/admin/shutdown.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te	2010-08-10 05:23:35.000000000 -0400
 @@ -36,6 +36,8 @@
  files_read_etc_files(shutdown_t)
  files_read_generic_pids(shutdown_t)
@@ -2396,10 +2464,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
  term_use_all_terms(shutdown_t)
  
  auth_use_nsswitch(shutdown_t)
+@@ -55,5 +57,10 @@
+ ')
+ 
+ optional_policy(`
++    oddjob_dontaudit_rw_fifo_file(shutdown_t)
++    oddjob_sigchld(shutdown_t)
++')
++
++optional_policy(`
+ 	xserver_dontaudit_write_log(shutdown_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.8.8/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/sudo.if	2010-07-27 16:12:03.000000000 -0400
-@@ -134,12 +134,16 @@
++++ serefpolicy-3.8.8/policy/modules/admin/sudo.if	2010-07-30 14:06:53.000000000 -0400
+@@ -76,6 +76,8 @@
+ 	# By default, revert to the calling domain when a shell is executed.
+ 	corecmd_shell_domtrans($1_sudo_t, $3)
+ 	corecmd_bin_domtrans($1_sudo_t, $3)
++	userdom_domtrans_user_home($1_sudo_t, $3)
++	userdom_domtrans_user_tmp($1_sudo_t, $3)
+ 	allow $3 $1_sudo_t:fd use;
+ 	allow $3 $1_sudo_t:fifo_file rw_file_perms;
+ 	allow $3 $1_sudo_t:process signal_perms;
+@@ -134,12 +136,16 @@
  	userdom_manage_user_tmp_symlinks($1_sudo_t)
  	userdom_use_user_terminals($1_sudo_t)
  	# for some PAM modules and for cwd
@@ -2419,7 +2507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.8.8/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/su.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/su.if	2010-07-30 14:06:53.000000000 -0400
 @@ -212,7 +212,7 @@
  
  	auth_domtrans_chk_passwd($1_su_t)
@@ -2439,7 +2527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
  		# RHEL5 and possibly newer releases incl. Fedora
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.if serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -2451,7 +2539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te	2010-07-30 14:06:53.000000000 -0400
 @@ -25,8 +25,11 @@
  files_read_etc_files(tmpreaper_t)
  files_read_var_lib_files(tmpreaper_t)
@@ -2491,7 +2579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfstab.if serefpolicy-3.8.8/policy/modules/admin/updfstab.if
 --- nsaserefpolicy/policy/modules/admin/updfstab.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/updfstab.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/updfstab.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -2503,7 +2591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfsta
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usbmodules.if serefpolicy-3.8.8/policy/modules/admin/usbmodules.if
 --- nsaserefpolicy/policy/modules/admin/usbmodules.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/usbmodules.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/usbmodules.if	2010-07-30 14:06:53.000000000 -0400
 @@ -26,7 +26,7 @@
  ## </summary>
  ## <param name="domain">
@@ -2515,7 +2603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usbmodu
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.8.8/policy/modules/admin/usermanage.if
 --- nsaserefpolicy/policy/modules/admin/usermanage.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/usermanage.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/usermanage.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -2627,7 +2715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.8.8/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/usermanage.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/usermanage.te	2010-07-30 14:06:53.000000000 -0400
 @@ -295,6 +295,7 @@
  
  term_use_all_ttys(passwd_t)
@@ -2679,21 +2767,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.8.8/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,10 @@
  dev_rw_xserver_misc(vbetool_t)
  dev_rw_mtrr(vbetool_t)
  
+-domain_mmap_low(vbetool_t)
 +domain_mmap_low_type(vbetool_t)
 +tunable_policy(`mmap_low_allowed',`
- domain_mmap_low(vbetool_t)
++	allow vbetool_t self:memprotect mmap_zero;
 +')
  
  mls_file_read_all_levels(vbetool_t)
  mls_file_write_all_levels(vbetool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.8.8/policy/modules/admin/vpn.te
 --- nsaserefpolicy/policy/modules/admin/vpn.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/vpn.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/vpn.te	2010-07-30 14:06:53.000000000 -0400
 @@ -107,6 +107,7 @@
  
  userdom_use_all_users_fds(vpnc_t)
@@ -2704,7 +2793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te 
  	dbus_system_bus_client(vpnc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.8.8/policy/modules/apps/awstats.te
 --- nsaserefpolicy/policy/modules/apps/awstats.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/awstats.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/awstats.te	2010-07-30 14:06:53.000000000 -0400
 @@ -47,6 +47,7 @@
  files_read_etc_files(awstats_t)
  # e.g. /usr/share/awstats/lang/awstats-en.txt
@@ -2715,14 +2804,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.8.8/policy/modules/apps/chrome.fc
 --- nsaserefpolicy/policy/modules/apps/chrome.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/chrome.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/chrome.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,3 @@
 + /opt/google/chrome/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 +
 +/usr/lib(64)?/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.8.8/policy/modules/apps/chrome.if
 --- nsaserefpolicy/policy/modules/apps/chrome.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/chrome.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/chrome.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,90 @@
 +
 +## <summary>policy for chrome</summary>
@@ -2816,7 +2905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.8.8/policy/modules/apps/chrome.te
 --- nsaserefpolicy/policy/modules/apps/chrome.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/chrome.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/chrome.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,86 @@
 +policy_module(chrome,1.0.0)
 +
@@ -2906,7 +2995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te
 --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te	2010-07-30 14:06:53.000000000 -0400
 @@ -27,7 +27,7 @@
  miscfiles_read_localization(cpufreqselector_t)
  
@@ -2918,7 +3007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
  	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc
 --- nsaserefpolicy/policy/modules/apps/execmem.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,49 @@
 +
 +/usr/bin/aticonfig	--	gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2971,7 +3060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.8.8/policy/modules/apps/execmem.if
 --- nsaserefpolicy/policy/modules/apps/execmem.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,110 @@
 +## <summary>execmem domain</summary>
 +
@@ -3085,7 +3174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.8.8/policy/modules/apps/execmem.te
 --- nsaserefpolicy/policy/modules/apps/execmem.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,10 @@
 +policy_module(execmem, 1.0.0)
 +
@@ -3099,14 +3188,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc
 --- nsaserefpolicy/policy/modules/apps/firewallgui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,3 @@
 +
 +/usr/share/system-config-firewall/system-config-firewall-mechanism.py	--	gen_context(system_u:object_r:firewallgui_exec_t,s0)
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.8.8/policy/modules/apps/firewallgui.if
 --- nsaserefpolicy/policy/modules/apps/firewallgui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,23 @@
 +
 +## <summary>policy for firewallgui</summary>
@@ -3133,7 +3222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.8.8/policy/modules/apps/firewallgui.te
 --- nsaserefpolicy/policy/modules/apps/firewallgui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,66 @@
 +policy_module(firewallgui,1.0.0)
 +
@@ -3203,7 +3292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.8.8/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,8 +1,28 @@
 -HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
@@ -3237,7 +3326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.8.8/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.if	2010-08-05 09:43:28.000000000 -0400
 @@ -74,6 +74,24 @@
  
  ########################################
@@ -3694,7 +3783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.8.8/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.te	2010-07-30 14:06:53.000000000 -0400
 @@ -6,18 +6,33 @@
  #
  
@@ -3847,7 +3936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.8.8/policy/modules/apps/gpg.fc
 --- nsaserefpolicy/policy/modules/apps/gpg.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gpg.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gpg.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,5 @@
  HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 +/root/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
@@ -3856,7 +3945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
  /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.8.8/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gpg.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gpg.if	2010-07-30 14:06:53.000000000 -0400
 @@ -85,6 +85,43 @@
  	domtrans_pattern($1, gpg_exec_t, gpg_t)
  ')
@@ -3903,7 +3992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
  ##	Send generic signals to user gpg processes.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.8.8/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gpg.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gpg.te	2010-07-30 14:06:53.000000000 -0400
 @@ -4,6 +4,7 @@
  #
  # Declarations
@@ -4048,7 +4137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.8.8/policy/modules/apps/irc.fc
 --- nsaserefpolicy/policy/modules/apps/irc.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/irc.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/irc.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -2,10 +2,14 @@
  # /home
  #
@@ -4066,7 +4155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s
  /usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.8.8/policy/modules/apps/irc.if
 --- nsaserefpolicy/policy/modules/apps/irc.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/irc.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/irc.if	2010-07-30 14:06:53.000000000 -0400
 @@ -18,9 +18,11 @@
  interface(`irc_role',`
  	gen_require(`
@@ -4099,7 +4188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.8.8/policy/modules/apps/irc.te
 --- nsaserefpolicy/policy/modules/apps/irc.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/irc.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/irc.te	2010-07-30 14:06:53.000000000 -0400
 @@ -24,6 +24,30 @@
  
  ########################################
@@ -4217,7 +4306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.8.8/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/java.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -9,6 +9,7 @@
  #
  # /usr
@@ -4238,7 +4327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc 
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.8.8/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/java.if	2010-07-30 14:06:53.000000000 -0400
 @@ -72,7 +72,8 @@
  
  	domain_interactive_fd($1_java_t)
@@ -4277,7 +4366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if 
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.8.8/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/java.te	2010-07-30 14:06:53.000000000 -0400
 @@ -82,6 +82,7 @@
  dev_read_rand(java_t)
  dev_dontaudit_append_rand(java_t)
@@ -4304,19 +4393,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te 
  		rpm_domtrans(unconfined_java_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,2 @@
 +## <summary>system-config-kdump policy</summary>
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,68 @@
 +policy_module(kdumpgui,1.0.0)
 +
@@ -4388,7 +4477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.8.8/policy/modules/apps/livecd.if
 --- nsaserefpolicy/policy/modules/apps/livecd.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/livecd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/livecd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -41,6 +41,8 @@
  
  	livecd_domtrans($1)
@@ -4425,7 +4514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.8.8/policy/modules/apps/livecd.te
 --- nsaserefpolicy/policy/modules/apps/livecd.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/livecd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/livecd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -20,6 +20,7 @@
  
  dontaudit livecd_t self:capability2 mac_admin;
@@ -4447,7 +4536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.8.8/policy/modules/apps/loadkeys.if
 --- nsaserefpolicy/policy/modules/apps/loadkeys.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/loadkeys.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/loadkeys.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -4477,7 +4566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.8.8/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mono.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mono.if	2010-07-30 14:06:53.000000000 -0400
 @@ -41,15 +41,18 @@
  	application_type($1_mono_t)
  
@@ -4520,7 +4609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if 
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.8.8/policy/modules/apps/mozilla.fc
 --- nsaserefpolicy/policy/modules/apps/mozilla.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,6 +1,7 @@
  HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -4531,7 +4620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.8.8/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if	2010-07-30 14:06:53.000000000 -0400
 @@ -48,6 +48,12 @@
  
  	mozilla_dbus_chat($2)
@@ -4556,7 +4645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te	2010-07-30 14:06:53.000000000 -0400
 @@ -25,6 +25,7 @@
  type mozilla_home_t;
  typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -4595,7 +4684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	pulseaudio_manage_home_files(mozilla_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if
 --- nsaserefpolicy/policy/modules/apps/mplayer.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if	2010-07-30 14:06:53.000000000 -0400
 @@ -102,3 +102,39 @@
  	read_files_pattern($1, mplayer_home_t, mplayer_home_t)
  	userdom_search_user_home_dirs($1)
@@ -4638,7 +4727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.8.8/policy/modules/apps/mplayer.te
 --- nsaserefpolicy/policy/modules/apps/mplayer.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/mplayer.te	2010-07-30 14:06:53.000000000 -0400
 @@ -32,6 +32,7 @@
  type mplayer_home_t;
  typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
@@ -4677,7 +4766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,10 @@
 +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 +HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -4691,7 +4780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if	2010-08-10 07:28:28.000000000 -0400
 @@ -0,0 +1,391 @@
 +
 +## <summary>policy for nsplugin</summary>
@@ -5086,8 +5175,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,299 @@
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te	2010-08-10 11:45:49.000000000 -0400
+@@ -0,0 +1,300 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -5117,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +type nsplugin_rw_t;
 +files_poly_member(nsplugin_rw_t)
-+userdom_user_home_content(nsplugin_rw_t)
++files_type(nsplugin_rw_t)
 +
 +type nsplugin_tmp_t;
 +files_tmp_file(nsplugin_tmp_t)
@@ -5245,6 +5334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +optional_policy(`
 +	alsa_read_rw_config(nsplugin_t)
++	alsa_read_home_files(nsplugin_t)
 +')
 +
 +optional_policy(`
@@ -5389,7 +5479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.8.8/policy/modules/apps/openoffice.fc
 --- nsaserefpolicy/policy/modules/apps/openoffice.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/openoffice.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,4 @@
 +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
 +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
@@ -5397,7 +5487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.8.8/policy/modules/apps/openoffice.if
 --- nsaserefpolicy/policy/modules/apps/openoffice.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/openoffice.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,129 @@
 +## <summary>Openoffice</summary>
 +
@@ -5530,7 +5620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.8.8/policy/modules/apps/openoffice.te
 --- nsaserefpolicy/policy/modules/apps/openoffice.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/openoffice.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,16 @@
 +policy_module(openoffice, 1.0.0)
 +
@@ -5550,7 +5640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te	2010-07-30 14:06:53.000000000 -0400
 @@ -73,6 +73,7 @@
  sysnet_dns_name_resolve(podsleuth_t)
  
@@ -5561,7 +5651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if	2010-07-30 14:06:53.000000000 -0400
 @@ -35,6 +35,10 @@
  	allow pulseaudio_t $2:unix_stream_socket connectto;
  	allow $2 pulseaudio_t:unix_stream_socket connectto;
@@ -5575,7 +5665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te	2010-07-30 14:06:53.000000000 -0400
 @@ -44,6 +44,7 @@
  manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
  manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -5626,7 +5716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.8/policy/modules/apps/qemu.if
 --- nsaserefpolicy/policy/modules/apps/qemu.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/qemu.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/qemu.if	2010-07-30 14:06:53.000000000 -0400
 @@ -275,6 +275,67 @@
  
  ########################################
@@ -5722,7 +5812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if 
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.8.8/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/qemu.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/qemu.te	2010-07-30 14:06:53.000000000 -0400
 @@ -102,6 +102,10 @@
  	xen_rw_image_files(qemu_t)
  ')
@@ -5745,18 +5835,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te 
  	allow unconfined_qemu_t qemu_exec_t:file execmod;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.8.8/policy/modules/apps/sambagui.fc
 --- nsaserefpolicy/policy/modules/apps/sambagui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1 @@
 +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.8.8/policy/modules/apps/sambagui.if
 --- nsaserefpolicy/policy/modules/apps/sambagui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,2 @@
 +## <summary>system-config-samba policy</summary>
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.8.8/policy/modules/apps/sambagui.te
 --- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,66 @@
 +policy_module(sambagui,1.0.0)
 +
@@ -5826,12 +5916,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.8.8/policy/modules/apps/sandbox.fc
 --- nsaserefpolicy/policy/modules/apps/sandbox.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1 @@
 +# No types are sandbox_exec_t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if	2010-08-03 14:37:32.000000000 -0400
 @@ -0,0 +1,314 @@
 +
 +## <summary>policy for sandbox</summary>
@@ -5919,7 +6009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	')
 +
 +	type $1_t, sandbox_domain, sandbox_x_type;
-+	domain_type($1_t)
++	application_type($1_t)
 +
 +	mls_rangetrans_target($1_t)
 +
@@ -5954,7 +6044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	')
 +
 +	type $1_t, sandbox_x_domain;
-+	domain_type($1_t)
++	application_type($1_t)
 +
 +	type $1_file_t, sandbox_file_type;
 +	files_type($1_file_t)
@@ -5976,7 +6066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	allow $1_t self:capability setuid;
 +
 +	type $1_client_t, sandbox_x_domain;
-+	domain_type($1_client_t)
++	application_type($1_client_t)
 +
 +	type $1_client_tmpfs_t, sandbox_tmpfs_type;
 +	files_tmpfs_file($1_client_tmpfs_t)
@@ -6149,7 +6239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te	2010-08-03 13:19:32.000000000 -0400
 @@ -0,0 +1,390 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
@@ -6186,7 +6276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +#
 +# sandbox xserver policy
 +#
-+allow sandbox_xserver_t self:process execmem;
++allow sandbox_xserver_t self:process { execmem execstack };
 +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
 +allow sandbox_xserver_t self:shm create_shm_perms;
 +allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -6543,7 +6633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.8.8/policy/modules/apps/seunshare.if
 --- nsaserefpolicy/policy/modules/apps/seunshare.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.if	2010-07-30 14:06:53.000000000 -0400
 @@ -53,8 +53,14 @@
  
  ########################################
@@ -6597,8 +6687,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-07-27 16:12:03.000000000 -0400
-@@ -5,40 +5,41 @@
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-06 12:05:20.000000000 -0400
+@@ -5,40 +5,45 @@
  # Declarations
  #
  
@@ -6612,8 +6702,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
  #
  # seunshare local policy
  #
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap };
++allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
  
 -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
 -allow seunshare_t self:process { setexec signal getcap setcap };
@@ -6622,29 +6712,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
  
 -allow seunshare_t self:fifo_file rw_file_perms;
 -allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
-+corecmd_exec_shell(seunshare_domain)
-+corecmd_exec_bin(seunshare_domain)
++kernel_read_system_state(seunshare_domain)
  
 -corecmd_exec_shell(seunshare_t)
 -corecmd_exec_bin(seunshare_t)
-+files_search_all(seunshare_domain)
-+files_read_etc_files(seunshare_domain)
-+files_mounton_all_poly_members(seunshare_domain)
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
  
 -files_read_etc_files(seunshare_t)
 -files_mounton_all_poly_members(seunshare_t)
-+fs_manage_cgroup_dirs(seunshare_domain)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
  
 -auth_use_nsswitch(seunshare_t)
-+auth_use_nsswitch(seunshare_domain)
++fs_manage_cgroup_dirs(seunshare_domain)
++fs_manage_cgroup_files(seunshare_domain)
  
 -logging_send_syslog_msg(seunshare_t)
-+logging_send_syslog_msg(seunshare_domain)
++auth_use_nsswitch(seunshare_domain)
  
 -miscfiles_read_localization(seunshare_t)
-+miscfiles_read_localization(seunshare_domain)
++logging_send_syslog_msg(seunshare_domain)
  
 -userdom_use_user_terminals(seunshare_t)
++miscfiles_read_localization(seunshare_domain)
++
 +userdom_use_user_terminals(seunshare_domain)
  
  ifdef(`hide_broken_symptoms', `
@@ -6657,9 +6750,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 +		mozilla_dontaudit_manage_user_home_files(seunshare_domain)
  	')
  ')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.fc serefpolicy-3.8.8/policy/modules/apps/telepathy.fc
 --- nsaserefpolicy/policy/modules/apps/telepathy.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,14 @@
 +HOME_DIR/\.mission-control(/.*)?				gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
 +HOME_DIR/\.cache/\.mc_connections		--		gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
@@ -6677,7 +6771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +/usr/libexec/telepathy-sunshine			--		gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.if serefpolicy-3.8.8/policy/modules/apps/telepathy.if
 --- nsaserefpolicy/policy/modules/apps/telepathy.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,188 @@
 +
 +## <summary>Telepathy framework.</summary>
@@ -6869,8 +6963,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
 --- nsaserefpolicy/policy/modules/apps/telepathy.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,309 @@
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te	2010-08-04 11:57:36.000000000 -0400
+@@ -0,0 +1,310 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -6923,6 +7017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
++userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
 +
 +corenet_sendrecv_http_client_packets(telepathy_msn_t)
 +corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -7182,7 +7277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.8.8/policy/modules/apps/userhelper.fc
 --- nsaserefpolicy/policy/modules/apps/userhelper.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -7,3 +7,4 @@
  # /usr
  #
@@ -7190,7 +7285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
 +/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.8.8/policy/modules/apps/userhelper.if
 --- nsaserefpolicy/policy/modules/apps/userhelper.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.if	2010-07-30 14:06:53.000000000 -0400
 @@ -25,6 +25,7 @@
  	gen_require(`
  		attribute userhelper_type;
@@ -7269,7 +7364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.8.8/policy/modules/apps/userhelper.te
 --- nsaserefpolicy/policy/modules/apps/userhelper.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te	2010-07-30 14:06:53.000000000 -0400
 @@ -6,9 +6,51 @@
  #
  
@@ -7324,7 +7419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.8.8/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/vmware.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/vmware.te	2010-07-30 14:06:53.000000000 -0400
 @@ -126,6 +126,7 @@
  dev_read_sysfs(vmware_host_t)
  dev_read_urand(vmware_host_t)
@@ -7335,7 +7430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
  domain_dontaudit_read_all_domains_state(vmware_host_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.if serefpolicy-3.8.8/policy/modules/apps/webalizer.if
 --- nsaserefpolicy/policy/modules/apps/webalizer.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/webalizer.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/webalizer.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -7356,7 +7451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalize
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.8.8/policy/modules/apps/wine.fc
 --- nsaserefpolicy/policy/modules/apps/wine.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wine.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -2,6 +2,7 @@
  
  /opt/cxoffice/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
@@ -7367,8 +7462,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc 
  /opt/google/picasa(/.*)?/bin/progman --	gen_context(system_u:object_r:wine_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.8.8/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.if	2010-07-27 16:12:03.000000000 -0400
-@@ -35,6 +35,8 @@
++++ serefpolicy-3.8.8/policy/modules/apps/wine.if	2010-08-05 17:18:31.000000000 -0400
+@@ -29,12 +29,16 @@
+ #
+ template(`wine_role',`
+ 	gen_require(`
++		type wine_t;
++		type wine_home_t;
+ 		type wine_exec_t;
+ 	')
+ 
  	role $1 types wine_t;
  
  	domain_auto_trans($2, wine_exec_t, wine_t)
@@ -7377,26 +7480,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if 
  	allow wine_t $2:fd use;
  	allow wine_t $2:process { sigchld signull };
  	allow wine_t $2:unix_stream_socket connectto;
-@@ -101,9 +103,16 @@
+@@ -86,6 +90,7 @@
+ #
+ template(`wine_role_template',`
+ 	gen_require(`
++		type wine_t;
+ 		type wine_exec_t;
+ 	')
+ 
+@@ -101,9 +106,16 @@
  	corecmd_bin_domtrans($1_wine_t, $1_t)
  
  	userdom_unpriv_usertype($1, $1_wine_t)
 -	userdom_manage_user_tmpfs_files($1_wine_t)
 +	userdom_manage_tmpfs_role($2, $1_wine_t)
- 
--	domain_mmap_low($1_wine_t)
++
 +	domain_mmap_low_type($1_wine_t)
 +	tunable_policy(`mmap_low_allowed',`
-+		domain_mmap_low($1_wine_t)
++		allow $1_wine_t self:memprotect mmap_zero;
 +	')
-+
+ 
+-	domain_mmap_low($1_wine_t)
 +	tunable_policy(`wine_mmap_zero_ignore',`
-+		allow $1_wine_t self:memprotect mmap_zero;
++		dontaudit $1_wine_t self:memprotect mmap_zero;
 +	')
  
  	optional_policy(`
  		xserver_role($1_r, $1_wine_t)
-@@ -136,7 +145,7 @@
+@@ -136,7 +148,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -7407,7 +7518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if 
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.8.8/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wine.te	2010-07-30 14:06:53.000000000 -0400
 @@ -1,5 +1,13 @@
  policy_module(wine, 1.7.1)
  
@@ -7429,7 +7540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te 
 -domain_mmap_low(wine_t)
 +domain_mmap_low_type(wine_t)
 +tunable_policy(`mmap_low_allowed',`
-+	domain_mmap_low(wine_t)
++	allow wine_t self:memprotect mmap_zero;
 +')
 +tunable_policy(`wine_mmap_zero_ignore',`
 +	dontaudit wine_t self:memprotect mmap_zero;
@@ -7452,7 +7563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te 
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.te serefpolicy-3.8.8/policy/modules/apps/wireshark.te
 --- nsaserefpolicy/policy/modules/apps/wireshark.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wireshark.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wireshark.te	2010-07-30 14:06:53.000000000 -0400
 @@ -15,6 +15,7 @@
  type wireshark_home_t;
  typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
@@ -7472,7 +7583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshar
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.8.8/policy/modules/apps/wm.if
 --- nsaserefpolicy/policy/modules/apps/wm.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wm.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wm.if	2010-07-30 14:06:53.000000000 -0400
 @@ -75,6 +75,10 @@
  	miscfiles_read_fonts($1_wm_t)
  	miscfiles_read_localization($1_wm_t)
@@ -7486,7 +7597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  		dbus_session_bus_client($1_wm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -9,8 +9,10 @@
  /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7535,7 +7646,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +239,8 @@
+@@ -220,6 +231,7 @@
+ 
+ /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/dayplanner/dayplanner --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/denyhosts/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/denyhosts/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+@@ -228,6 +240,8 @@
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7544,7 +7663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +327,7 @@
+@@ -314,6 +328,7 @@
  /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@@ -7552,7 +7671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
  
  ifdef(`distro_suse', `
-@@ -340,3 +354,24 @@
+@@ -340,3 +355,24 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -7579,7 +7698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.8.8/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if	2010-07-30 14:06:53.000000000 -0400
 @@ -931,6 +931,7 @@
  
  	read_lnk_files_pattern($1, bin_t, bin_t)
@@ -7598,7 +7717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.fc serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -5,3 +5,6 @@
  /dev/tap.*	-c	gen_context(system_u:object_r:tun_tap_device_t,s0)
  
@@ -7608,7 +7727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 +/lib/udev/devices/net/.* -c	gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in	2010-08-04 13:10:54.000000000 -0400
 @@ -24,6 +24,7 @@
  #
  type tun_tap_device_t;
@@ -7659,7 +7778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
  network_port(ftp_data, tcp,20,s0)
  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -124,8 +132,9 @@
+@@ -124,29 +132,32 @@
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
  network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -7670,7 +7789,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(kismet, tcp,2501,s0)
  network_port(kprop, tcp,754,s0)
  network_port(ktalkd, udp,517,s0, udp,518,s0)
-@@ -137,16 +146,17 @@
+ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+ network_port(lirc, tcp,8765,s0)
++network_port(luci, tcp,8084,s0)
+ network_port(lmtp, tcp,24,s0, udp,24,s0)
+ type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+ network_port(mail, tcp,2000,s0, tcp,3905,s0)
  network_port(memcache, tcp,11211,s0, udp,11211,s0)
  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
  network_port(monopd, tcp,1234,s0)
@@ -7691,7 +7815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(ntp, udp,123,s0)
  network_port(ocsp, tcp,9080,s0)
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -154,12 +164,20 @@
+@@ -154,12 +165,20 @@
  network_port(pegasus_https, tcp,5989,s0)
  network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
  network_port(pingd, tcp,9125,s0)
@@ -7712,7 +7836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +192,27 @@
+@@ -174,24 +193,27 @@
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
@@ -7743,7 +7867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(syslogd, udp,514,s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -201,16 +222,17 @@
+@@ -201,16 +223,17 @@
  network_port(ups, tcp,3493,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
@@ -7766,7 +7890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.8.8/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -176,13 +176,12 @@
  
  /etc/udev/devices	-d	gen_context(system_u:object_r:device_t,s0)
@@ -7794,8 +7918,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if	2010-07-27 16:12:03.000000000 -0400
-@@ -497,6 +497,24 @@
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if	2010-08-04 12:08:01.000000000 -0400
+@@ -461,6 +461,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow relablefrom for generic character device files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_relabelfrom_generic_chr_files',`
++	gen_require(`
++		type device_t;
++	')
++
++	allow $1 device_t:chr_file relabelfrom;
++')
++
++########################################
++## <summary>
+ ##	Dontaudit getattr for generic character device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -497,6 +515,24 @@
  
  ########################################
  ## <summary>
@@ -7820,7 +7969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Read and write generic character device files.
  ## </summary>
  ## <param name="domain">
-@@ -606,6 +624,24 @@
+@@ -606,6 +642,24 @@
  
  ########################################
  ## <summary>
@@ -7845,7 +7994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Create, delete, read, and write symbolic links in device directories.
  ## </summary>
  ## <param name="domain">
-@@ -1015,6 +1051,42 @@
+@@ -1015,6 +1069,42 @@
  
  ########################################
  ## <summary>
@@ -7888,7 +8037,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Delete all block device files.
  ## </summary>
  ## <param name="domain">
-@@ -3540,6 +3612,24 @@
+@@ -1277,6 +1367,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Relableto the autofs device node.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_relabelto_autofs_dev',`
++	gen_require(`
++		type autofs_device_t;
++	')
++
++	allow $1 autofs_device_t:chr_file relabelto;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to get the attributes of
+ ##	the autofs device node.
+ ## </summary>
+@@ -3540,6 +3648,24 @@
  
  ########################################
  ## <summary>
@@ -7913,7 +8087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3851,6 +3941,24 @@
+@@ -3851,6 +3977,24 @@
  
  ########################################
  ## <summary>
@@ -7938,7 +8112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -4161,11 +4269,10 @@
+@@ -4161,11 +4305,10 @@
  #
  interface(`dev_rw_vhost',`
  	gen_require(`
@@ -7954,7 +8128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.8.8/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.te	2010-07-30 14:06:53.000000000 -0400
 @@ -100,6 +100,7 @@
  #
  type kvm_device_t;
@@ -7972,7 +8146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  allow devices_unconfined_type mtrr_device_t:file *;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/domain.if	2010-07-30 14:06:53.000000000 -0400
 @@ -611,7 +611,7 @@
  
  ########################################
@@ -7991,7 +8165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1372,18 +1372,34 @@
+@@ -1372,13 +1372,11 @@
  ##	</summary>
  ## </param>
  #
@@ -8006,30 +8180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  	typeattribute $1 mmap_low_domain_type;
  ')
  
- ########################################
- ## <summary>
-+##	Ability to mmap a low area of the address space,
-+##      as configured by /proc/sys/kernel/mmap_min_addr.
-+##      Preventing such mappings helps protect against
-+##      exploiting null deref bugs in the kernel.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to mmap low memory.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_mmap_low',`
-+
-+	allow $1 self:memprotect mmap_zero;
-+')
-+
-+########################################
-+## <summary>
- ##	Allow specified type to receive labeled
- ##	networking packets from all domains, over
- ##	all protocols (TCP, UDP, etc)
-@@ -1445,3 +1461,22 @@
+@@ -1445,3 +1443,22 @@
  	typeattribute $1 set_curr_context;
  	typeattribute $1 process_uncond_exempt;
  ')
@@ -8054,7 +8205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.8.8/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/domain.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/domain.te	2010-07-30 14:06:53.000000000 -0400
 @@ -4,6 +4,21 @@
  #
  # Declarations
@@ -8222,7 +8373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +dontaudit can_change_object_identity can_change_object_identity:key link;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.8.8/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -18,6 +18,7 @@
  /fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
  /halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -8324,7 +8475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.if	2010-08-10 05:23:35.000000000 -0400
 @@ -1053,10 +1053,8 @@
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8429,7 +8580,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ########################################
  ## <summary>
  ##	Mount a filesystem on /mnt.
-@@ -3711,6 +3765,64 @@
+@@ -3420,6 +3474,24 @@
+ 	read_files_pattern($1, mnt_t, mnt_t)
+ ')
+ 
++######################################
++## <summary>
++##  Read symbolic links in /mnt.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`files_read_mnt_symlinks',`
++    gen_require(`
++        type mnt_t;
++    ')
++
++    read_lnk_files_pattern($1, mnt_t, mnt_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete symbolic links in /mnt.
+@@ -3711,6 +3783,82 @@
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -8472,6 +8648,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +    manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
 +')
 +
++######################################
++## <summary>
++##  Relabel manageable system configuration files in /etc.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`files_relabelto_system_conf_files',`
++    gen_require(`
++        type usr_t;
++    ')
++
++    relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
 +###################################
 +## <summary>
 +##  Create files in /etc with the type used for
@@ -8494,7 +8688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -3896,6 +4008,32 @@
+@@ -3896,6 +4044,32 @@
  
  ########################################
  ## <summary>
@@ -8527,7 +8721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4109,6 +4247,13 @@
+@@ -4109,6 +4283,13 @@
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8541,10 +8735,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -5298,6 +5443,25 @@
+@@ -5298,6 +5479,43 @@
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++    gen_require(`
++        type var_run_t;
++    ')
++
++    allow $1 var_run_t:dir rw_dir_perms;
++')
++
 +#######################################
 +## <summary>
 +##      Create generic pid directory.
@@ -8567,7 +8779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5505,6 +5669,26 @@
+@@ -5505,6 +5723,26 @@
  
  ########################################
  ## <summary>
@@ -8594,7 +8806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -5522,6 +5706,7 @@
+@@ -5522,6 +5760,7 @@
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -8602,7 +8814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -5807,3 +5992,229 @@
+@@ -5807,3 +6046,229 @@
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -8834,7 +9046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.8.8/policy/modules/kernel/files.te
 --- nsaserefpolicy/policy/modules/kernel/files.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.te	2010-07-30 14:06:53.000000000 -0400
 @@ -11,6 +11,7 @@
  attribute mountpoint;
  attribute pidfile;
@@ -8868,7 +9080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  typealias etc_runtime_t alias firstboot_rw_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc
 --- nsaserefpolicy/policy/modules/kernel/filesystem.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,3 @@
  /dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
  
@@ -8876,7 +9088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +/cgroup(/.*)? 	 	gen_context(system_u:object_r:cgroup_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if	2010-08-04 13:24:15.000000000 -0400
 @@ -1233,7 +1233,7 @@
  		type cifs_t;
  	')
@@ -9111,7 +9323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.8.8/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te	2010-07-30 14:06:53.000000000 -0400
 @@ -52,6 +52,7 @@
  fs_type(anon_inodefs_t)
  files_mountpoint(anon_inodefs_t)
@@ -9155,7 +9367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.8.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if	2010-07-30 14:06:53.000000000 -0400
 @@ -1977,7 +1977,7 @@
  	')
  
@@ -9216,7 +9428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.8.8/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/kernel.te	2010-07-30 14:06:53.000000000 -0400
 @@ -156,6 +156,7 @@
  #
  type unlabeled_t;
@@ -9278,7 +9490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  # Unlabeled process local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if	2010-07-30 14:06:53.000000000 -0400
 @@ -40,7 +40,7 @@
  
  	# because of this statement, any module which
@@ -9338,7 +9550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -5,7 +5,7 @@
  /dev/n?osst[0-3].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
  /dev/n?pt[0-9]+		-c	gen_context(system_u:object_r:tape_device_t,s0)
@@ -9357,7 +9569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
 +/lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.if	2010-08-05 14:41:46.000000000 -0400
 @@ -101,6 +101,8 @@
  	dev_list_all_dev_nodes($1)
  	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
@@ -9367,9 +9579,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
  	typeattribute $1 fixed_disk_raw_read;
  ')
  
+@@ -203,6 +205,8 @@
+ 		type fixed_disk_device_t;
+ 	')
+ 
++	allow $1 self:capability mknod;
++
+ 	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ 	dev_add_entry_generic_dirs($1)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if	2010-08-03 13:44:23.000000000 -0400
 @@ -292,9 +292,11 @@
  interface(`term_dontaudit_use_console',`
  	gen_require(`
@@ -9401,7 +9622,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
  ')
  
  ########################################
-@@ -1352,7 +1354,7 @@
+@@ -1252,10 +1254,12 @@
+ interface(`term_dontaudit_getattr_all_ttys',`
+ 	gen_require(`
+ 		attribute ttynode;
++		type tty_device_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	dontaudit $1 ttynode:chr_file getattr;
++	dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+ 
+ ########################################
+@@ -1352,7 +1356,7 @@
  		attribute ttynode;
  	')
  
@@ -9412,7 +9646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.8.8/policy/modules/roles/auditadm.te
 --- nsaserefpolicy/policy/modules/roles/auditadm.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/auditadm.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/auditadm.te	2010-07-30 14:06:53.000000000 -0400
 @@ -28,10 +28,13 @@
  logging_manage_audit_config(auditadm_t)
  logging_run_auditctl(auditadm_t, auditadm_r)
@@ -9429,7 +9663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.8.8/policy/modules/roles/guest.te
 --- nsaserefpolicy/policy/modules/roles/guest.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/guest.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/guest.te	2010-07-30 14:06:53.000000000 -0400
 @@ -14,4 +14,8 @@
  # Local policy
  #
@@ -9442,7 +9676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.8.8/policy/modules/roles/secadm.te
 --- nsaserefpolicy/policy/modules/roles/secadm.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/secadm.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/secadm.te	2010-07-30 14:06:53.000000000 -0400
 @@ -9,6 +9,8 @@
  
  userdom_unpriv_user_template(secadm)
@@ -9454,7 +9688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/staff.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/staff.te	2010-07-30 14:06:53.000000000 -0400
 @@ -8,25 +8,55 @@
  role staff_r;
  
@@ -9651,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te	2010-07-30 14:06:53.000000000 -0400
 @@ -27,17 +27,29 @@
  
  corecmd_exec_shell(sysadm_t)
@@ -10008,7 +10242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 +miscfiles_read_hwdata(sysadm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,8 @@
 +# Add programs here which should not be confined by SELinux
 +# e.g.:
@@ -10020,7 +10254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,667 @@
 +## <summary>Unconfiend user role</summary>
 +
@@ -10691,8 +10925,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,448 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te	2010-08-11 07:44:10.000000000 -0400
+@@ -0,0 +1,453 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -10958,6 +11192,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +	')
 +
 +	optional_policy(`
++		ipsec_mgmt_dbus_chat(unconfined_usertype)
++	')
++
++	optional_policy(`
 +		kerneloops_dbus_chat(unconfined_usertype)
 +	')
 +
@@ -11102,6 +11340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +	unconfined_domain_noaudit(unconfined_execmem_t)
 +	allow unconfined_execmem_t unconfined_t:process transition;
 +	rpm_transition_script(unconfined_execmem_t)
++	role system_r types unconfined_execmem_t;
 +
 +	optional_policy(`
 +		init_dbus_chat_script(unconfined_execmem_t)
@@ -11143,7 +11382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.8.8/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te	2010-07-30 14:06:53.000000000 -0400
 @@ -12,10 +12,13 @@
  
  userdom_unpriv_user_template(user)
@@ -11204,7 +11443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/xguest.te	2010-08-06 11:01:58.000000000 -0400
 @@ -14,7 +14,7 @@
  
  ## <desc>
@@ -11286,10 +11525,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
 +
 +optional_policy(`
 +	nsplugin_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+	telepathy_dbus_session_role(xguest_r, xguest_t)
  ')
  
  optional_policy(`
@@ -11330,22 +11565,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
 +		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
 +		corenet_tcp_connect_transproxy_port(xguest_usertype)
 +	')
-+')
 +
++	optional_policy(`
++		telepathy_dbus_session_role(xguest_r, xguest_t)
+ 	')
+ ')
+ 
+-#gen_user(xguest_u,, xguest_r, s0, s0)
 +optional_policy(`
 +	gen_require(`
 +		type mozilla_t;
- 	')
++	')
 +
 +	allow xguest_t mozilla_t:process transition;
 +	role xguest_r types mozilla_t;
- ')
- 
--#gen_user(xguest_u,, xguest_r, s0, s0)
++')
++
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.8.8/policy/modules/services/abrt.fc
 --- nsaserefpolicy/policy/modules/services/abrt.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -15,6 +15,7 @@
  
  /var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -11356,7 +11595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  /var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.8.8/policy/modules/services/abrt.if
 --- nsaserefpolicy/policy/modules/services/abrt.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.if	2010-08-10 07:15:12.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -11450,7 +11689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  ##	All of the rules required to administrate
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.8/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.te	2010-08-03 09:01:25.000000000 -0400
 @@ -5,6 +5,14 @@
  # Declarations
  #
@@ -11510,7 +11749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  
  logging_read_generic_logs(abrt_t)
  logging_send_syslog_msg(abrt_t)
-@@ -140,6 +151,11 @@
+@@ -140,6 +151,15 @@
  miscfiles_read_localization(abrt_t)
  
  userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -11519,10 +11758,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +tunable_policy(`abrt_anon_write',`
 +        miscfiles_manage_public_files(abrt_t)
 +')
++
++optional_policy(`
++	apache_read_modules(abrt_t)
++')
  
  optional_policy(`
  	dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,7 +166,12 @@
+@@ -150,7 +170,12 @@
  ')
  
  optional_policy(`
@@ -11536,7 +11779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -178,6 +199,12 @@
+@@ -178,6 +203,12 @@
  ')
  
  optional_policy(`
@@ -11549,7 +11792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  	sssd_stream_connect(abrt_t)
  ')
  
-@@ -203,6 +230,7 @@
+@@ -203,6 +234,7 @@
  domain_read_all_domains_state(abrt_helper_t)
  
  files_read_etc_files(abrt_helper_t)
@@ -11557,7 +11800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  
  fs_list_inotifyfs(abrt_helper_t)
  fs_getattr_all_fs(abrt_helper_t)
-@@ -217,11 +245,26 @@
+@@ -217,11 +249,26 @@
  term_dontaudit_use_all_ptys(abrt_helper_t)
  
  ifdef(`hide_broken_symptoms', `
@@ -11586,7 +11829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.8.8/policy/modules/services/afs.if
 --- nsaserefpolicy/policy/modules/services/afs.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/afs.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/afs.if	2010-07-30 14:06:53.000000000 -0400
 @@ -63,7 +63,7 @@
  ## </summary>
  ## <param name="domain">
@@ -11598,7 +11841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.8.8/policy/modules/services/afs.te
 --- nsaserefpolicy/policy/modules/services/afs.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/afs.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/afs.te	2010-07-30 14:06:53.000000000 -0400
 @@ -82,6 +82,10 @@
  
  kernel_rw_afs_state(afs_t)
@@ -11612,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
  corenet_tcp_sendrecv_generic_if(afs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.8/policy/modules/services/aiccu.fc
 --- nsaserefpolicy/policy/modules/services/aiccu.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/aiccu.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aiccu.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,6 @@
 +/etc/aiccu.conf			--	gen_context(system_u:object_r:aiccu_etc_t,s0)
 +/etc/rc\.d/init\.d/aiccu	--	gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
@@ -11622,7 +11865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +/var/run/aiccu\.pid		--	gen_context(system_u:object_r:aiccu_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.8/policy/modules/services/aiccu.if
 --- nsaserefpolicy/policy/modules/services/aiccu.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/aiccu.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aiccu.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,118 @@
 +## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
 +
@@ -11744,7 +11987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.8/policy/modules/services/aiccu.te
 --- nsaserefpolicy/policy/modules/services/aiccu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/aiccu.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aiccu.te	2010-07-30 14:55:47.000000000 -0400
 @@ -0,0 +1,71 @@
 +policy_module(aiccu, 1.0.0)
 +
@@ -11819,7 +12062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +sysnet_dns_name_resolve(aiccu_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.8/policy/modules/services/aisexec.te
 --- nsaserefpolicy/policy/modules/services/aisexec.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/aisexec.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/aisexec.te	2010-08-03 09:16:29.000000000 -0400
 @@ -32,7 +32,7 @@
  # aisexec local policy
  #
@@ -11841,7 +12084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.8.8/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/amavis.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/amavis.te	2010-07-30 14:06:53.000000000 -0400
 @@ -92,9 +92,10 @@
  logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
  
@@ -11856,7 +12099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
  # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,6 @@
  
  /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -11877,7 +12120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -11908,7 +12151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.if	2010-08-03 09:01:04.000000000 -0400
 @@ -13,17 +13,13 @@
  #
  template(`apache_content_template',`
@@ -12117,7 +12360,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ##	Apache cache.
  ## </summary>
  ## <param name="domain">
-@@ -756,6 +789,7 @@
+@@ -740,6 +773,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow the specified domain to read
++##	the apache module directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`apache_read_modules',`
++	gen_require(`
++		type httpd_modules_t;
++	')
++
++	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
++')
++
++########################################
++## <summary>
+ ##	Allow the specified domain to list
+ ##	the contents of the apache modules
+ ##	directory.
+@@ -756,6 +808,7 @@
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -12125,7 +12394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -814,6 +848,7 @@
+@@ -814,6 +867,7 @@
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -12133,7 +12402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	files_search_var($1)
  ')
  
-@@ -841,6 +876,74 @@
+@@ -841,6 +895,74 @@
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
@@ -12208,7 +12477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  ## <summary>
  ##	Execute all web scripts in the system
-@@ -858,6 +961,11 @@
+@@ -858,6 +980,11 @@
  	gen_require(`
  		attribute httpdcontent;
  		type httpd_sys_script_t;
@@ -12220,7 +12489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1053,7 @@
+@@ -945,7 +1072,7 @@
  		type httpd_squirrelmail_t;
  	')
  
@@ -12229,7 +12498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -1086,6 +1194,25 @@
+@@ -1086,6 +1213,25 @@
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -12255,7 +12524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  ## <summary>
  ##	Dontaudit attempts to write
-@@ -1102,7 +1229,7 @@
+@@ -1102,7 +1248,7 @@
  		type httpd_tmp_t;
  	')
  
@@ -12264,7 +12533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -1172,7 +1299,7 @@
+@@ -1172,7 +1318,7 @@
  		type httpd_modules_t, httpd_lock_t;
  		type httpd_var_run_t, httpd_php_tmp_t;
  		type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -12273,7 +12542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  
  	allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1329,43 @@
+@@ -1202,12 +1348,43 @@
  
  	kernel_search_proc($1)
  	allow $1 httpd_t:dir list_dir_perms;
@@ -12320,7 +12589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.8.8/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.te	2010-08-10 11:21:49.000000000 -0400
 @@ -18,6 +18,8 @@
  # Declarations
  #
@@ -12606,7 +12875,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_ssi_exec',`
-@@ -513,7 +625,13 @@
+@@ -500,8 +612,10 @@
+ # are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+ 	userdom_use_user_terminals(httpd_t)
++	userdom_use_user_terminals(httpd_suexec_t)
+ ',`
+ 	userdom_dontaudit_use_user_terminals(httpd_t)
++	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+ ')
+ 
+ optional_policy(`
+@@ -513,7 +627,13 @@
  ')
  
  optional_policy(`
@@ -12621,7 +12901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -528,7 +646,7 @@
+@@ -528,7 +648,7 @@
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -12630,7 +12910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +655,12 @@
+@@ -537,8 +657,12 @@
  ')
  
  optional_policy(`
@@ -12644,7 +12924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -557,6 +679,7 @@
+@@ -557,6 +681,7 @@
  
  optional_policy(`
  	# Allow httpd to work with mysql
@@ -12652,7 +12932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +690,7 @@
+@@ -567,6 +692,7 @@
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -12660,7 +12940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -577,12 +701,23 @@
+@@ -577,12 +703,23 @@
  ')
  
  optional_policy(`
@@ -12684,7 +12964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -591,6 +726,11 @@
+@@ -591,6 +728,11 @@
  ')
  
  optional_policy(`
@@ -12696,7 +12976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -603,6 +743,10 @@
+@@ -603,6 +745,10 @@
  	yam_read_content(httpd_t)
  ')
  
@@ -12707,7 +12987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache helper local policy
-@@ -618,6 +762,10 @@
+@@ -618,6 +764,10 @@
  
  userdom_use_user_terminals(httpd_helper_t)
  
@@ -12718,7 +12998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -699,17 +847,18 @@
+@@ -699,17 +849,18 @@
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -12740,7 +13020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +889,21 @@
+@@ -740,10 +891,21 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -12763,7 +13043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +929,12 @@
+@@ -769,6 +931,12 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -12776,7 +13056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -792,9 +958,13 @@
+@@ -792,9 +960,13 @@
  files_search_var_lib(httpd_sys_script_t)
  files_search_spool(httpd_sys_script_t)
  
@@ -12790,7 +13070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,6 +973,22 @@
+@@ -803,6 +975,22 @@
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -12813,7 +13093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1016,16 @@
+@@ -830,6 +1018,16 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -12830,7 +13110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1038,7 @@
+@@ -842,6 +1040,7 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12838,7 +13118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -891,11 +1088,33 @@
+@@ -891,11 +1090,33 @@
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12877,7 +13157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.8.8/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apcupsd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apcupsd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -94,6 +94,10 @@
  ')
  
@@ -12891,7 +13171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.if serefpolicy-3.8.8/policy/modules/services/apm.if
 --- nsaserefpolicy/policy/modules/services/apm.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apm.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apm.if	2010-07-30 14:06:53.000000000 -0400
 @@ -25,7 +25,7 @@
  ## </summary>
  ## <param name="domain">
@@ -12912,7 +13192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te
 --- nsaserefpolicy/policy/modules/services/apm.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apm.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apm.te	2010-07-30 14:06:53.000000000 -0400
 @@ -62,6 +62,7 @@
  dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
  allow apmd_t self:process { signal_perms getsession };
@@ -12942,7 +13222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te
 --- nsaserefpolicy/policy/modules/services/arpwatch.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te	2010-08-03 09:15:01.000000000 -0400
 @@ -50,6 +50,7 @@
  kernel_read_kernel_sysctls(arpwatch_t)
  kernel_list_proc(arpwatch_t)
@@ -12961,7 +13241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
  fs_getattr_all_fs(arpwatch_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.8/policy/modules/services/asterisk.te
 --- nsaserefpolicy/policy/modules/services/asterisk.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/asterisk.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/asterisk.te	2010-07-30 14:06:53.000000000 -0400
 @@ -99,6 +99,7 @@
  corenet_tcp_bind_generic_node(asterisk_t)
  corenet_udp_bind_generic_node(asterisk_t)
@@ -12991,7 +13271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.8.8/policy/modules/services/automount.if
 --- nsaserefpolicy/policy/modules/services/automount.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/automount.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/automount.if	2010-07-30 14:06:53.000000000 -0400
 @@ -25,7 +25,7 @@
  ## </summary>
  ## <param name="domain">
@@ -13003,7 +13283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.8.8/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/automount.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/automount.te	2010-07-30 14:06:53.000000000 -0400
 @@ -145,6 +145,7 @@
  
  # Run mount in the mount_t domain.
@@ -13014,7 +13294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
  userdom_dontaudit_use_unpriv_user_fds(automount_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.8.8/policy/modules/services/avahi.if
 --- nsaserefpolicy/policy/modules/services/avahi.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/avahi.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/avahi.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -13043,7 +13323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.8.8/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/avahi.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/avahi.te	2010-07-30 14:06:53.000000000 -0400
 @@ -37,10 +37,11 @@
  manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
  files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
@@ -13059,7 +13339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
  kernel_read_kernel_sysctls(avahi_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.8/policy/modules/services/bind.if
 --- nsaserefpolicy/policy/modules/services/bind.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bind.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bind.if	2010-07-30 14:06:53.000000000 -0400
 @@ -359,9 +359,9 @@
  interface(`bind_admin',`
  	gen_require(`
@@ -13084,7 +13364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
  	admin_pattern($1, named_var_run_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.8.8/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bind.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bind.te	2010-07-30 14:06:53.000000000 -0400
 @@ -89,9 +89,10 @@
  manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
  files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -13099,7 +13379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
  allow named_t named_zone_t:dir list_dir_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.8/policy/modules/services/bitlbee.te
 --- nsaserefpolicy/policy/modules/services/bitlbee.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bitlbee.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bitlbee.te	2010-07-30 14:06:53.000000000 -0400
 @@ -27,6 +27,7 @@
  # Local policy
  #
@@ -13121,7 +13401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl
  sysnet_dns_name_resolve(bitlbee_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.8/policy/modules/services/bluetooth.if
 --- nsaserefpolicy/policy/modules/services/bluetooth.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bluetooth.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bluetooth.if	2010-07-30 14:06:53.000000000 -0400
 @@ -64,7 +64,7 @@
  ## </summary>
  ## <param name="domain">
@@ -13195,10 +13475,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.8.8/policy/modules/services/boinc.fc
 --- nsaserefpolicy/policy/modules/services/boinc.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/boinc.fc	2010-08-10 07:13:34.000000000 -0400
 @@ -0,0 +1,8 @@
 +
-+/etc/rc\.d/init\.d/boinc_client		-- 	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc-client		-- 	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 +
 +/usr/bin/boinc_client			--	gen_context(system_u:object_r:boinc_exec_t,s0)
 +
@@ -13207,7 +13487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +/var/lib/boinc/slots(/.*)?          	 	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.8.8/policy/modules/services/boinc.if
 --- nsaserefpolicy/policy/modules/services/boinc.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/boinc.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,151 @@
 +
 +## <summary>policy for boinc</summary>
@@ -13362,8 +13642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,143 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te	2010-08-11 07:44:10.000000000 -0400
+@@ -0,0 +1,145 @@
 +policy_module(boinc,1.0.0)
 +
 +########################################
@@ -13483,6 +13763,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
 +allow boinc_project_t self:process { execmem execstack };
 +
++allow boinc_project_t self:fifo_file rw_fifo_file_perms;
++
 +allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
 +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
 +manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
@@ -13509,7 +13791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.8/policy/modules/services/bugzilla.fc
 --- nsaserefpolicy/policy/modules/services/bugzilla.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,4 @@
 +
 +/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
@@ -13517,7 +13799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
 +/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if
 --- nsaserefpolicy/policy/modules/services/bugzilla.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,81 @@
 +## <summary>Bugzilla server</summary>
 +
@@ -13587,7 +13869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
 +	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, httpd_bugzilla_script_t)
 +
-+	files_list_tmps($1)
++	files_list_tmp($1)
 +	admin_pattern($1, httpd_bugzilla_tmp_t)
 +
 +	files_search_var_lib(httpd_bugzilla_script_t)
@@ -13602,7 +13884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.8/policy/modules/services/bugzilla.te
 --- nsaserefpolicy/policy/modules/services/bugzilla.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,56 @@
 +policy_module(bugzilla, 1.0)
 +
@@ -13662,7 +13944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc
 --- nsaserefpolicy/policy/modules/services/cachefilesd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,29 @@
 +###############################################################################
 +#
@@ -13695,7 +13977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
 +/var/run/cachefilesd\.pid --	gen_context(system_u:object_r:cachefiles_var_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.8.8/policy/modules/services/cachefilesd.if
 --- nsaserefpolicy/policy/modules/services/cachefilesd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,41 @@
 +###############################################################################
 +#
@@ -13740,7 +14022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.8.8/policy/modules/services/cachefilesd.te
 --- nsaserefpolicy/policy/modules/services/cachefilesd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,147 @@
 +###############################################################################
 +#
@@ -13891,7 +14173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
 +dev_search_sysfs(cachefiles_kernel_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.8.8/policy/modules/services/canna.te
 --- nsaserefpolicy/policy/modules/services/canna.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/canna.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/canna.te	2010-07-30 14:06:53.000000000 -0400
 @@ -42,9 +42,10 @@
  manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
  files_var_lib_filetrans(canna_t, canna_var_lib_t, file)
@@ -13906,7 +14188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann
  kernel_read_system_state(canna_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.8.8/policy/modules/services/ccs.te
 --- nsaserefpolicy/policy/modules/services/ccs.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ccs.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ccs.te	2010-07-30 14:06:53.000000000 -0400
 @@ -118,5 +118,10 @@
  ')
  
@@ -13920,7 +14202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.8.8/policy/modules/services/certmaster.if
 --- nsaserefpolicy/policy/modules/services/certmaster.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/certmaster.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/certmaster.if	2010-07-30 14:06:53.000000000 -0400
 @@ -18,6 +18,25 @@
  	domtrans_pattern($1, certmaster_exec_t, certmaster_t)
  ')
@@ -13949,7 +14231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
  ##	read certmaster logs.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.8.8/policy/modules/services/certmonger.if
 --- nsaserefpolicy/policy/modules/services/certmonger.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/certmonger.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/certmonger.if	2010-07-30 14:06:53.000000000 -0400
 @@ -45,7 +45,7 @@
  ## </summary>
  ## <param name="domain">
@@ -13972,7 +14254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.8.8/policy/modules/services/certmonger.te
 --- nsaserefpolicy/policy/modules/services/certmonger.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/certmonger.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/certmonger.te	2010-07-30 14:06:53.000000000 -0400
 @@ -68,5 +68,5 @@
  ')
  
@@ -13982,7 +14264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.8.8/policy/modules/services/cgroup.te
 --- nsaserefpolicy/policy/modules/services/cgroup.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cgroup.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cgroup.te	2010-08-10 07:20:55.000000000 -0400
 @@ -18,8 +18,8 @@
  type cgrules_etc_t;
  files_config_file(cgrules_etc_t)
@@ -13994,6 +14276,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
  init_daemon_domain(cgconfig_t, cgconfig_exec_t)
  
  type cgconfig_initrc_exec_t;
+@@ -33,7 +33,7 @@
+ # cgconfig personal policy.
+ #
+ 
+-allow cgconfig_t self:capability { chown sys_admin };
++allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
+ 
+ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+ 
 @@ -53,7 +53,7 @@
  # cgred personal policy.
  #
@@ -14013,7 +14304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
  files_getattr_all_sockets(cgred_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.8.8/policy/modules/services/chronyd.if
 --- nsaserefpolicy/policy/modules/services/chronyd.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/chronyd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/chronyd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -19,6 +19,24 @@
  	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
  ')
@@ -14122,7 +14413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.8.8/policy/modules/services/chronyd.te
 --- nsaserefpolicy/policy/modules/services/chronyd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/chronyd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/chronyd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -15,6 +15,9 @@
  type chronyd_keys_t;
  files_type(chronyd_keys_t)
@@ -14154,8 +14445,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
  corenet_udp_bind_chronyd_port(chronyd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te	2010-07-27 16:12:03.000000000 -0400
-@@ -89,9 +89,10 @@
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te	2010-08-10 08:26:22.000000000 -0400
+@@ -80,6 +80,7 @@
+ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+ 
+ # var/lib files for clamd
++manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ 
+@@ -89,9 +90,10 @@
  logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
  
  # pid file
@@ -14167,7 +14466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  
  kernel_dontaudit_list_proc(clamd_t)
  kernel_read_sysctl(clamd_t)
-@@ -189,6 +190,7 @@
+@@ -189,6 +191,7 @@
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
@@ -14175,7 +14474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,6 +209,8 @@
+@@ -207,6 +210,8 @@
  
  clamav_stream_connect(freshclam_t)
  
@@ -14186,7 +14485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.8/policy/modules/services/cmirrord.fc
 --- nsaserefpolicy/policy/modules/services/cmirrord.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,6 @@
 +
 +/etc/rc\.d/init\.d/cmirrord	--	gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
@@ -14196,7 +14495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +/var/run/cmirrord\.pid		--	gen_context(system_u:object_r:cmirrord_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.8/policy/modules/services/cmirrord.if
 --- nsaserefpolicy/policy/modules/services/cmirrord.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cmirrord.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,118 @@
 +
 +## <summary>policy for cmirrord</summary>
@@ -14318,7 +14617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.8.8/policy/modules/services/cmirrord.te
 --- nsaserefpolicy/policy/modules/services/cmirrord.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cmirrord.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,56 @@
 +policy_module(cmirrord,1.0.0)
 +
@@ -14378,7 +14677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.8.8/policy/modules/services/cobbler.fc
 --- nsaserefpolicy/policy/modules/services/cobbler.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,7 +1,32 @@
 -/etc/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_etc_t, s0)
 -/etc/rc\.d/init\.d/cobblerd --	gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -14419,7 +14718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 -/var/log/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_log_t, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.8.8/policy/modules/services/cobbler.if
 --- nsaserefpolicy/policy/modules/services/cobbler.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.if	2010-07-30 14:06:53.000000000 -0400
 @@ -1,14 +1,4 @@
  ## <summary>Cobbler installation server.</summary>
 -## <desc>
@@ -14673,7 +14972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te
 --- nsaserefpolicy/policy/modules/services/cobbler.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.te	2010-08-05 09:43:50.000000000 -0400
 @@ -1,3 +1,4 @@
 +
  policy_module(cobbler, 1.1.0)
@@ -14715,7 +15014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  
  type cobblerd_t;
  type cobblerd_exec_t;
-@@ -23,28 +46,45 @@
+@@ -23,28 +46,46 @@
  type cobbler_etc_t;
  files_config_file(cobbler_etc_t)
  
@@ -14747,7 +15046,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  allow cobblerd_t self:fifo_file rw_fifo_file_perms;
 +allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
  allow cobblerd_t self:tcp_socket create_stream_socket_perms;
-+allow cobblerd_t self:udp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_socket_perms;
++allow cobblerd_t self:unix_dgram_socket create_socket_perms;
  
  list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
  read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
@@ -14768,7 +15068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  
  append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
  create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,39 +92,93 @@
+@@ -52,39 +93,93 @@
  setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
  logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
  
@@ -14821,7 +15121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +
 +init_dontaudit_read_all_script_files(cobblerd_t)
 +
-+term_dontaudit_use_console(cobblerd_t)
++term_use_console(cobblerd_t)
  
  miscfiles_read_localization(cobblerd_t)
  miscfiles_read_public_files(cobblerd_t)
@@ -14866,7 +15166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  optional_policy(`
  	bind_read_config(cobblerd_t)
  	bind_write_config(cobblerd_t)
-@@ -95,6 +189,10 @@
+@@ -95,6 +190,10 @@
  ')
  
  optional_policy(`
@@ -14877,7 +15177,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  	dhcpd_domtrans(cobblerd_t)
  	dhcpd_initrc_domtrans(cobblerd_t)
  ')
-@@ -110,12 +208,20 @@
+@@ -106,16 +205,28 @@
+ ')
+ 
+ optional_policy(`
++	gnome_dontaudit_search_config(cobblerd_t)
++')
++
++optional_policy(`
+ 	rpm_exec(cobblerd_t)
  ')
  
  optional_policy(`
@@ -14901,7 +15209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  ')
  
  ########################################
-@@ -123,6 +229,18 @@
+@@ -123,6 +234,18 @@
  # Cobbler web local policy.
  #
  
@@ -14925,7 +15233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/consolekit.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/consolekit.te	2010-07-30 14:06:53.000000000 -0400
 @@ -15,6 +15,9 @@
  type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
@@ -14992,7 +15300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.8.8/policy/modules/services/corosync.fc
 --- nsaserefpolicy/policy/modules/services/corosync.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/corosync.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/corosync.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -3,6 +3,7 @@
  /usr/sbin/corosync		--	gen_context(system_u:object_r:corosync_exec_t,s0)
  
@@ -15003,7 +15311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.8/policy/modules/services/corosync.te
 --- nsaserefpolicy/policy/modules/services/corosync.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/corosync.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/corosync.te	2010-07-30 14:06:53.000000000 -0400
 @@ -5,6 +5,13 @@
  # Declarations
  #
@@ -15091,7 +15399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.8.8/policy/modules/services/courier.if
 --- nsaserefpolicy/policy/modules/services/courier.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/courier.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/courier.if	2010-07-30 14:06:53.000000000 -0400
 @@ -38,10 +38,12 @@
  	read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
  	allow courier_$1_t courier_etc_t:dir list_dir_perms;
@@ -15107,7 +15415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
  	kernel_read_kernel_sysctls(courier_$1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.8.8/policy/modules/services/courier.te
 --- nsaserefpolicy/policy/modules/services/courier.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/courier.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/courier.te	2010-07-30 14:06:53.000000000 -0400
 @@ -48,6 +48,7 @@
  allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
  allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
@@ -15118,7 +15426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.8/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -14,7 +14,7 @@
  /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
  /var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -15138,7 +15446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.if	2010-07-30 14:06:53.000000000 -0400
 @@ -12,6 +12,10 @@
  ## </param>
  #
@@ -15364,7 +15672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.te	2010-07-30 14:06:53.000000000 -0400
 @@ -63,9 +63,12 @@
  
  type crond_tmp_t;
@@ -15660,7 +15968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  tunable_policy(`fcron_crond', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.8/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -71,3 +71,9 @@
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  /var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
@@ -15673,7 +15981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.8.8/policy/modules/services/cups.if
 --- nsaserefpolicy/policy/modules/services/cups.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -15722,7 +16030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cups.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cups.te	2010-07-30 14:06:53.000000000 -0400
 @@ -15,6 +15,7 @@
  type cupsd_t;
  type cupsd_exec_t;
@@ -15822,7 +16130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	fs_search_auto_mountpoints(cups_pdf_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.8.8/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cvs.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cvs.te	2010-07-30 14:06:53.000000000 -0400
 @@ -112,4 +112,5 @@
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -15831,7 +16139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.8.8/policy/modules/services/cyphesis.te
 --- nsaserefpolicy/policy/modules/services/cyphesis.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cyphesis.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cyphesis.te	2010-07-30 14:06:53.000000000 -0400
 @@ -36,9 +36,10 @@
  allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
  files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
@@ -15846,7 +16154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
  kernel_read_kernel_sysctls(cyphesis_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.8/policy/modules/services/cyrus.te
 --- nsaserefpolicy/policy/modules/services/cyrus.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cyrus.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cyrus.te	2010-07-30 14:06:53.000000000 -0400
 @@ -135,6 +135,7 @@
  ')
  
@@ -15857,7 +16165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
  	snmp_stream_connect(cyrus_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.8.8/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dbus.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dbus.if	2010-07-30 14:06:53.000000000 -0400
 @@ -42,8 +42,10 @@
  	gen_require(`
  		class dbus { send_msg acquire_svc };
@@ -15946,7 +16254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.8.8/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dbus.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dbus.te	2010-07-30 14:06:53.000000000 -0400
 @@ -74,9 +74,10 @@
  
  read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -16002,7 +16310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.8.8/policy/modules/services/dcc.te
 --- nsaserefpolicy/policy/modules/services/dcc.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dcc.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dcc.te	2010-07-30 14:06:53.000000000 -0400
 @@ -231,8 +231,9 @@
  manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
  files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
@@ -16016,7 +16324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
  kernel_read_kernel_sysctls(dccd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.8.8/policy/modules/services/denyhosts.if
 --- nsaserefpolicy/policy/modules/services/denyhosts.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/denyhosts.if	2010-07-30 14:06:53.000000000 -0400
 @@ -32,7 +32,7 @@
  ## </summary>
  ## <param name="domain">
@@ -16028,7 +16336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.8/policy/modules/services/denyhosts.te
 --- nsaserefpolicy/policy/modules/services/denyhosts.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te	2010-07-30 14:06:53.000000000 -0400
 @@ -25,7 +25,8 @@
  #
  # DenyHosts personal policy.
@@ -16068,7 +16376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/devicekit.te	2010-08-10 11:09:06.000000000 -0400
 @@ -75,10 +75,12 @@
  manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
  files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -16111,13 +16419,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  
  allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
 -allow devicekit_power_t self:process getsched;
-+allow devicekit_disk_t self:process { getsched signal_perms };
++allow devicekit_power_t self:process { getsched signal_perms };
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
  allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.8.8/policy/modules/services/dhcp.if
 --- nsaserefpolicy/policy/modules/services/dhcp.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dhcp.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dhcp.if	2010-07-30 14:06:53.000000000 -0400
 @@ -45,7 +45,7 @@
  ## </summary>
  ## <param name="domain">
@@ -16129,7 +16437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.8.8/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dhcp.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dhcp.te	2010-07-30 14:06:53.000000000 -0400
 @@ -111,6 +111,11 @@
  ')
  
@@ -16144,7 +16452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.8.8/policy/modules/services/djbdns.te
 --- nsaserefpolicy/policy/modules/services/djbdns.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/djbdns.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/djbdns.te	2010-07-30 14:06:53.000000000 -0400
 @@ -22,6 +22,8 @@
  # Local policy for axfrdns component
  #
@@ -16156,7 +16464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.8.8/policy/modules/services/dnsmasq.if
 --- nsaserefpolicy/policy/modules/services/dnsmasq.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -16177,7 +16485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.8.8/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.te	2010-07-30 14:06:53.000000000 -0400
 @@ -92,7 +92,11 @@
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
@@ -16193,7 +16501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.8.8/policy/modules/services/dovecot.fc
 --- nsaserefpolicy/policy/modules/services/dovecot.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -25,7 +25,7 @@
  ifdef(`distro_redhat', `
  /usr/libexec/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -16205,7 +16513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.8.8/policy/modules/services/dovecot.if
 --- nsaserefpolicy/policy/modules/services/dovecot.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.if	2010-07-30 14:06:53.000000000 -0400
 @@ -93,12 +93,14 @@
  #
  interface(`dovecot_admin',`
@@ -16249,7 +16557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te	2010-08-03 15:18:00.000000000 -0400
 @@ -58,7 +58,7 @@
  
  allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
@@ -16259,6 +16567,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  allow dovecot_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_t self:tcp_socket create_stream_socket_perms;
  allow dovecot_t self:unix_dgram_socket create_socket_perms;
+@@ -72,7 +72,7 @@
+ read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+ read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+ 
+-allow dovecot_t dovecot_etc_t:file read_file_perms;
++read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+ files_search_etc(dovecot_t)
+ 
+ can_exec(dovecot_t, dovecot_exec_t)
 @@ -94,10 +94,11 @@
  manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -16280,8 +16597,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -256,16 +258,22 @@
- allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+@@ -253,19 +255,25 @@
+ 
+ allow dovecot_deliver_t dovecot_t:process signull;
+ 
+-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
  
 +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
@@ -16312,7 +16633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.8.8/policy/modules/services/exim.fc
 --- nsaserefpolicy/policy/modules/services/exim.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/exim.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/exim.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,6 @@
 +
 +/etc/rc\.d/init\.d/exim        --  gen_context(system_u:object_r:exim_initrc_exec_t,s0)
@@ -16322,7 +16643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
  /var/run/exim[0-9]?\.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.8.8/policy/modules/services/exim.if
 --- nsaserefpolicy/policy/modules/services/exim.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/exim.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/exim.if	2010-07-30 14:06:53.000000000 -0400
 @@ -20,6 +20,24 @@
  
  ########################################
@@ -16397,7 +16718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.8.8/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/exim.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/exim.te	2010-07-30 14:06:53.000000000 -0400
 @@ -35,6 +35,9 @@
  application_executable_file(exim_exec_t)
  mta_agent_executable(exim_exec_t)
@@ -16429,7 +16750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.8.8/policy/modules/services/fail2ban.if
 --- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fail2ban.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fail2ban.if	2010-07-30 14:06:53.000000000 -0400
 @@ -138,6 +138,26 @@
  
  ########################################
@@ -16459,7 +16780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.8.8/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fail2ban.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fail2ban.te	2010-07-30 14:06:53.000000000 -0400
 @@ -94,5 +94,9 @@
  ')
  
@@ -16472,7 +16793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.8.8/policy/modules/services/fetchmail.te
 --- nsaserefpolicy/policy/modules/services/fetchmail.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fetchmail.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fetchmail.te	2010-07-30 14:06:53.000000000 -0400
 @@ -37,8 +37,9 @@
  allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
  mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
@@ -16486,7 +16807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
  kernel_list_proc(fetchmail_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/finger.if serefpolicy-3.8.8/policy/modules/services/finger.if
 --- nsaserefpolicy/policy/modules/services/finger.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/finger.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/finger.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -16498,7 +16819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fing
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.8.8/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/fprintd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/fprintd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -54,4 +54,5 @@
  	policykit_read_lib(fprintd_t)
  	policykit_dbus_chat(fprintd_t)
@@ -16507,7 +16828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.8.8/policy/modules/services/ftp.fc
 --- nsaserefpolicy/policy/modules/services/ftp.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ftp.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ftp.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -29,3 +29,4 @@
  /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
  /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
@@ -16515,7 +16836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
 +/usr/libexec/webmin/vsftpd/webalizer/xfer_log 	--	gen_context(system_u:object_r:xferlog_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.8/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ftp.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ftp.te	2010-07-30 14:06:53.000000000 -0400
 @@ -40,6 +40,13 @@
  
  ## <desc>
@@ -16655,7 +16976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.8.8/policy/modules/services/git.fc
 --- nsaserefpolicy/policy/modules/services/git.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/git.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/git.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,12 @@
 +HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_session_content_t, s0)
 +HOME_DIR/\.gitconfig	--	gen_context(system_u:object_r:git_session_content_t, s0)
@@ -16671,7 +16992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +/var/www/git/gitweb.cgi		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.8.8/policy/modules/services/git.if
 --- nsaserefpolicy/policy/modules/services/git.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/git.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/git.if	2010-07-30 14:06:53.000000000 -0400
 @@ -1 +1,525 @@
 -## <summary>GIT revision control system</summary>
 +## <summary>Fast Version Control System.</summary>
@@ -17201,7 +17522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.8.8/policy/modules/services/git.te
 --- nsaserefpolicy/policy/modules/services/git.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/git.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/git.te	2010-07-30 14:06:53.000000000 -0400
 @@ -1,8 +1,192 @@
 -policy_module(git, 1.0)
 +policy_module(git, 1.0.3)
@@ -17400,7 +17721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.8.8/policy/modules/services/gnomeclock.if
 --- nsaserefpolicy/policy/modules/services/gnomeclock.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/gnomeclock.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/gnomeclock.if	2010-07-30 14:06:53.000000000 -0400
 @@ -63,3 +63,24 @@
  	allow $1 gnomeclock_t:dbus send_msg;
  	allow gnomeclock_t $1:dbus send_msg;
@@ -17428,7 +17749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.8.8/policy/modules/services/gpsd.te
 --- nsaserefpolicy/policy/modules/services/gpsd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/gpsd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/gpsd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -56,6 +56,10 @@
  miscfiles_read_localization(gpsd_t)
  
@@ -17442,7 +17763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.8.8/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/hal.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/hal.if	2010-07-30 14:06:53.000000000 -0400
 @@ -377,6 +377,26 @@
  
  ########################################
@@ -17472,7 +17793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/hal.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/hal.te	2010-07-30 14:06:53.000000000 -0400
 @@ -54,6 +54,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -17569,7 +17890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  # Local hald dccm policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.8.8/policy/modules/services/hddtemp.fc
 --- nsaserefpolicy/policy/modules/services/hddtemp.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/hddtemp.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/hddtemp.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,5 +1,3 @@
  /etc/rc\.d/init\.d/hddtemp	--	gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
  
@@ -17578,7 +17899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt
  /usr/sbin/hddtemp		--	gen_context(system_u:object_r:hddtemp_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.8.8/policy/modules/services/icecast.te
 --- nsaserefpolicy/policy/modules/services/icecast.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/icecast.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/icecast.te	2010-07-30 14:06:53.000000000 -0400
 @@ -37,6 +37,8 @@
  manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
  files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
@@ -17600,7 +17921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.8.8/policy/modules/services/inetd.if
 --- nsaserefpolicy/policy/modules/services/inetd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/inetd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/inetd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -178,7 +178,7 @@
  ## </summary>
  ## <param name="domain">
@@ -17621,7 +17942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.8/policy/modules/services/inn.te
 --- nsaserefpolicy/policy/modules/services/inn.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/inn.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/inn.te	2010-07-30 14:06:53.000000000 -0400
 @@ -56,7 +56,7 @@
  manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
  manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
@@ -17641,7 +17962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.8.8/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -8,7 +8,7 @@
  /etc/krb5kdc/kadm5\.keytab 	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
  /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -17653,7 +17974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.8/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/kerberos.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/kerberos.te	2010-07-30 14:06:53.000000000 -0400
 @@ -126,10 +126,13 @@
  corenet_tcp_bind_generic_node(kadmind_t)
  corenet_udp_bind_generic_node(kadmind_t)
@@ -17680,7 +18001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc
 --- nsaserefpolicy/policy/modules/services/ksmtuned.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -3,3 +3,5 @@
  /usr/sbin/ksmtuned		--	gen_context(system_u:object_r:ksmtuned_exec_t,s0)
  
@@ -17689,7 +18010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
 +/var/log/ksmtuned.*			gen_context(system_u:object_r:ksmtuned_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.8.8/policy/modules/services/ksmtuned.if
 --- nsaserefpolicy/policy/modules/services/ksmtuned.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.if	2010-07-30 14:06:53.000000000 -0400
 @@ -60,7 +60,7 @@
  	')
  
@@ -17701,7 +18022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
  	admin_pattern($1, ksmtuned_var_run_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.8.8/policy/modules/services/ksmtuned.te
 --- nsaserefpolicy/policy/modules/services/ksmtuned.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.te	2010-07-30 14:06:53.000000000 -0400
 @@ -9,6 +9,9 @@
  type ksmtuned_exec_t;
  init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
@@ -17741,7 +18062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.8.8/policy/modules/services/ldap.fc
 --- nsaserefpolicy/policy/modules/services/ldap.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ldap.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ldap.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,6 +1,8 @@
  
  /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
@@ -17759,7 +18080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
 +#/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.8.8/policy/modules/services/ldap.if
 --- nsaserefpolicy/policy/modules/services/ldap.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ldap.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ldap.if	2010-07-30 14:06:53.000000000 -0400
 @@ -1,5 +1,43 @@
  ## <summary>OpenLDAP directory server</summary>
  
@@ -17863,7 +18184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.8.8/policy/modules/services/ldap.te
 --- nsaserefpolicy/policy/modules/services/ldap.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ldap.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ldap.te	2010-07-30 14:06:53.000000000 -0400
 @@ -27,9 +27,15 @@
  type slapd_replog_t;
  files_type(slapd_replog_t)
@@ -17905,7 +18226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
  kernel_read_kernel_sysctls(slapd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.8.8/policy/modules/services/lircd.if
 --- nsaserefpolicy/policy/modules/services/lircd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/lircd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/lircd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -45,7 +45,7 @@
  ## </summary>
  ## <param name="domain">
@@ -17917,7 +18238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.8.8/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/lircd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/lircd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -24,6 +24,7 @@
  #
  
@@ -17946,7 +18267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
  dev_rw_lirc(lircd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.te serefpolicy-3.8.8/policy/modules/services/lpd.te
 --- nsaserefpolicy/policy/modules/services/lpd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/lpd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/lpd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -145,9 +145,10 @@
  manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
  files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
@@ -17976,7 +18297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
  	fs_read_cifs_symlinks(lpr_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.8.8/policy/modules/services/memcached.if
 --- nsaserefpolicy/policy/modules/services/memcached.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/memcached.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/memcached.if	2010-07-30 14:06:53.000000000 -0400
 @@ -59,6 +59,7 @@
  	gen_require(`
  		type memcached_t;
@@ -17987,7 +18308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
  	allow $1 memcached_t:process { ptrace signal_perms };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.8.8/policy/modules/services/milter.if
 --- nsaserefpolicy/policy/modules/services/milter.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/milter.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/milter.if	2010-07-30 14:06:53.000000000 -0400
 @@ -37,6 +37,8 @@
  
  	files_read_etc_files($1_milter_t)
@@ -18024,7 +18345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.8/policy/modules/services/mock.fc
 --- nsaserefpolicy/policy/modules/services/mock.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mock.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mock.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,6 @@
 +
 +/usr/sbin/mock		--	gen_context(system_u:object_r:mock_exec_t,s0)
@@ -18034,7 +18355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.8/policy/modules/services/mock.if
 --- nsaserefpolicy/policy/modules/services/mock.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mock.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mock.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,238 @@
 +
 +## <summary>policy for mock</summary>
@@ -18276,7 +18597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.8/policy/modules/services/mock.te
 --- nsaserefpolicy/policy/modules/services/mock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mock.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mock.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,98 @@
 +policy_module(mock,1.0.0)
 +
@@ -18378,7 +18699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.8/policy/modules/services/modemmanager.te
 --- nsaserefpolicy/policy/modules/services/modemmanager.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/modemmanager.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/modemmanager.te	2010-07-30 14:06:53.000000000 -0400
 @@ -16,7 +16,8 @@
  # ModemManager local policy
  #
@@ -18409,7 +18730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.fc serefpolicy-3.8.8/policy/modules/services/mojomojo.fc
 --- nsaserefpolicy/policy/modules/services/mojomojo.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,5 @@
 +/usr/bin/mojomojo_fastcgi\.pl	--	gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
 +
@@ -18418,7 +18739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojo
 +/var/lib/mojomojo(/.*)?  		gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.if serefpolicy-3.8.8/policy/modules/services/mojomojo.if
 --- nsaserefpolicy/policy/modules/services/mojomojo.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,43 @@
 +## <summary>Mojomojo server</summary>
 +
@@ -18465,7 +18786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.te serefpolicy-3.8.8/policy/modules/services/mojomojo.te
 --- nsaserefpolicy/policy/modules/services/mojomojo.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,45 @@
 +policy_module(mojomojo, 1.0)
 +
@@ -18514,7 +18835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.8/policy/modules/services/mpd.fc
 --- nsaserefpolicy/policy/modules/services/mpd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mpd.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mpd.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,10 @@
 +
 +/etc/mpd\.conf		--      gen_context(system_u:object_r:mpd_etc_t,s0)
@@ -18528,7 +18849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +/var/lib/mpd/playlists(/.*)?   gen_context(system_u:object_r:mpd_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.8.8/policy/modules/services/mpd.if
 --- nsaserefpolicy/policy/modules/services/mpd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mpd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mpd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,274 @@
 +
 +## <summary>policy for daemon for playing music</summary>
@@ -18806,7 +19127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.8.8/policy/modules/services/mpd.te
 --- nsaserefpolicy/policy/modules/services/mpd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/mpd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mpd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,111 @@
 +policy_module(mpd,1.0.0)
 +
@@ -18921,7 +19242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -13,6 +13,8 @@
  
  /usr/bin/esmtp			-- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -18933,7 +19254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.if	2010-07-30 14:06:53.000000000 -0400
 @@ -220,6 +220,25 @@
  	application_executable_file($1)
  ')
@@ -19021,9 +19342,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
+@@ -899,3 +920,23 @@
+ 
+ 	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ ')
++
++########################################
++## <summary>
++##	Type transition files created in calling dir 
++##	to the mail address aliases type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	Directory to transition on.
++##	</summary>
++## </param>
++#
++interface(`mta_filetrans_aliases',`
++	filetrans_pattern($1, $2, etc_aliases_t, file)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.te	2010-07-30 14:06:53.000000000 -0400
 @@ -21,7 +21,7 @@
  files_config_file(etc_mail_t)
  
@@ -19033,20 +19378,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
  type mqueue_spool_t;
  files_mountpoint(mqueue_spool_t)
-@@ -62,9 +62,9 @@
+@@ -50,22 +50,9 @@
+ 
+ # newalias required this, not sure if it is needed in 'if' file
+ allow system_mail_t self:capability { dac_override fowner };
+-allow system_mail_t self:fifo_file rw_fifo_file_perms;
+-
+-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
  
- can_exec(system_mail_t, mta_exec_type)
+ read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
  
+-allow system_mail_t mail_forward_t:file read_file_perms;
+-
+-allow system_mail_t mta_exec_type:file entrypoint;
+-
+-can_exec(system_mail_t, mta_exec_type)
+-
 -kernel_read_system_state(system_mail_t)
 -kernel_read_network_state(system_mail_t)
 -kernel_request_load_module(system_mail_t)
-+kernel_read_system_state(user_mail_domain)
-+kernel_read_network_state(user_mail_domain)
-+kernel_request_load_module(user_mail_domain)
- 
+-
  dev_read_sysfs(system_mail_t)
  dev_read_rand(system_mail_t)
-@@ -82,6 +82,9 @@
+ dev_read_urand(system_mail_t)
+@@ -82,6 +69,9 @@
  
  userdom_use_user_terminals(system_mail_t)
  userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -19056,7 +19411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
  optional_policy(`
  	apache_read_squirrelmail_data(system_mail_t)
-@@ -92,6 +95,12 @@
+@@ -92,6 +82,12 @@
  	apache_dontaudit_rw_stream_sockets(system_mail_t)
  	apache_dontaudit_rw_tcp_sockets(system_mail_t)
  	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -19069,7 +19424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -103,6 +112,11 @@
+@@ -103,6 +99,11 @@
  ')
  
  optional_policy(`
@@ -19081,7 +19436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	clamav_stream_connect(system_mail_t)
  	clamav_append_log(system_mail_t)
  ')
-@@ -111,6 +125,8 @@
+@@ -111,6 +112,8 @@
  	cron_read_system_job_tmp_files(system_mail_t)
  	cron_dontaudit_write_pipes(system_mail_t)
  	cron_rw_system_job_stream_sockets(system_mail_t)
@@ -19090,15 +19445,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -130,6 +146,7 @@
+@@ -124,12 +127,8 @@
+ ')
  
  optional_policy(`
+-	exim_domtrans(system_mail_t)
+-	exim_manage_log(system_mail_t)
+-')
+-
+-optional_policy(`
  	fail2ban_append_log(system_mail_t)
 +	fail2ban_dontaudit_leaks(system_mail_t)
  ')
  
  optional_policy(`
-@@ -146,6 +163,10 @@
+@@ -146,6 +145,10 @@
  ')
  
  optional_policy(`
@@ -19109,7 +19470,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -189,6 +210,10 @@
+@@ -158,18 +161,6 @@
+ 	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+ 
+ 	domain_use_interactive_fds(system_mail_t)
+-
+-	# postfix needs this for newaliases
+-	files_getattr_tmp_dirs(system_mail_t)
+-
+-	postfix_exec_master(system_mail_t)
+-	postfix_read_config(system_mail_t)
+-	postfix_search_spool(system_mail_t)
+-
+-	ifdef(`distro_redhat',`
+-		# compatability for old default main.cf
+-		postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+-	')
+ ')
+ 
+ optional_policy(`
+@@ -189,6 +180,10 @@
  ')
  
  optional_policy(`
@@ -19120,7 +19500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -220,6 +245,7 @@
+@@ -220,6 +215,7 @@
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -19128,18 +19508,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
  
  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+@@ -292,3 +288,42 @@
+ 	postfix_read_config(user_mail_t)
+ 	postfix_list_spool(user_mail_t)
+ ')
++
++########################################
++#
++# Comman user_mail_domain policy
++#
++
++allow user_mail_domain self:fifo_file rw_fifo_file_perms;
++allow user_mail_domain mta_exec_type:file entrypoint;
++
++can_exec(user_mail_domain, mta_exec_type)
++
++allow system_mail_t user_mail_domain:file read_file_perms;
++
++read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
++
++kernel_read_system_state(user_mail_domain)
++kernel_read_network_state(user_mail_domain)
++kernel_request_load_module(user_mail_domain)
++
++
++
++optional_policy(`
++	# postfix needs this for newaliases
++	files_getattr_tmp_dirs(user_mail_domain)
++
++	postfix_exec_master(user_mail_domain)
++	postfix_read_config(user_mail_domain)
++	postfix_search_spool(user_mail_domain)
++
++	ifdef(`distro_redhat',`
++		# compatability for old default main.cf
++		postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
++	')
++')
++
++optional_policy(`
++	exim_domtrans(user_mail_domain)
++	exim_manage_log(user_mail_domain)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.8.8/policy/modules/services/munin.fc
+--- nsaserefpolicy/policy/modules/services/munin.fc	2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/munin.fc	2010-07-30 14:06:53.000000000 -0400
+@@ -63,6 +63,7 @@
+ /usr/share/munin/plugins/yum	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ 
+ /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/lib/munin/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ /var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
+ /var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.8.8/policy/modules/services/munin.if
 --- nsaserefpolicy/policy/modules/services/munin.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/munin.if	2010-07-27 16:12:03.000000000 -0400
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/munin.if	2010-07-30 14:06:53.000000000 -0400
+@@ -13,10 +13,11 @@
+ #
+ template(`munin_plugin_template',`
+ 	gen_require(`
+-		type munin_t, munin_exec_t, munin_etc_t;
++		type munin_t;
++		attribute munin_plugin_domain;
+ 	')
+ 
+-	type $1_munin_plugin_t;
++	type $1_munin_plugin_t, munin_plugin_domain;
+ 	type $1_munin_plugin_exec_t;
+ 	typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ 	typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+@@ -36,17 +37,8 @@
  	# automatic transition rules from munin domain
  	# to specific munin plugin domain
  	domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
 +	allow munin_t $1_munin_plugin_t:process signal;    
  
- 	allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
- 	allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
-@@ -92,6 +93,24 @@
+-	allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+-	allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+-
+-	read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
+-
+-	kernel_read_system_state($1_munin_plugin_t)
+-
+-	corecmd_exec_bin($1_munin_plugin_t)
+-
+-	miscfiles_read_localization($1_munin_plugin_t)
+ ')
+ 
+ ########################################
+@@ -92,6 +84,24 @@
  	files_search_etc($1)
  ')
  
@@ -19166,8 +19625,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ##	Append to the munin log.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.8.8/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/munin.te	2010-07-27 16:12:03.000000000 -0400
-@@ -40,7 +40,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/munin.te	2010-08-05 16:45:38.000000000 -0400
+@@ -5,6 +5,8 @@
+ # Declarations
+ #
+ 
++attribute munin_plugin_domain;
++
+ type munin_t alias lrrd_t;
+ type munin_exec_t alias lrrd_exec_t;
+ init_daemon_domain(munin_t, munin_exec_t)
+@@ -24,6 +26,9 @@
+ type munin_var_lib_t alias lrrd_var_lib_t;
+ files_type(munin_var_lib_t)
+ 
++type munin_plugin_state_t;
++files_type(munin_plugin_state_t)
++
+ type munin_var_run_t alias lrrd_var_run_t;
+ files_pid_file(munin_var_run_t)
+ 
+@@ -40,7 +45,7 @@
  # Local policy
  #
  
@@ -19176,7 +19654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  dontaudit munin_t self:capability sys_tty_config;
  allow munin_t self:process { getsched setsched signal_perms };
  allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +71,10 @@
+@@ -71,9 +76,12 @@
  manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  files_search_var_lib(munin_t)
  
@@ -19185,10 +19663,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
 -files_pid_filetrans(munin_t, munin_var_run_t, file)
 +files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
++
++read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
  
  kernel_read_system_state(munin_t)
  kernel_read_network_state(munin_t)
-@@ -145,6 +146,7 @@
+@@ -116,6 +124,7 @@
+ 
+ miscfiles_read_fonts(munin_t)
+ miscfiles_read_localization(munin_t)
++miscfiles_setattr_fonts_cache_dirs(munin_t)
+ 
+ sysnet_exec_ifconfig(munin_t)
+ 
+@@ -145,6 +154,7 @@
  optional_policy(`
  	mta_read_config(munin_t)
  	mta_send_mail(munin_t)
@@ -19196,7 +19684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  	mta_read_queue(munin_t)
  ')
  
-@@ -159,6 +161,7 @@
+@@ -159,6 +169,7 @@
  
  optional_policy(`
  	postfix_list_spool(munin_t)
@@ -19204,7 +19692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ')
  
  optional_policy(`
-@@ -182,6 +185,7 @@
+@@ -182,6 +193,7 @@
  # local policy for disk plugins
  #
  
@@ -19212,14 +19700,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  
  rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -192,13 +196,15 @@
+@@ -190,15 +202,13 @@
  
- files_read_etc_files(disk_munin_plugin_t)
- files_read_etc_runtime_files(disk_munin_plugin_t)
-+files_read_usr_files(disk_munin_plugin_t)
+ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
  
- fs_getattr_all_fs(disk_munin_plugin_t)
+-files_read_etc_files(disk_munin_plugin_t)
+ files_read_etc_runtime_files(disk_munin_plugin_t)
  
+-fs_getattr_all_fs(disk_munin_plugin_t)
+-
 +dev_getattr_lvm_control(disk_munin_plugin_t)
  dev_read_sysfs(disk_munin_plugin_t)
  dev_read_urand(disk_munin_plugin_t)
@@ -19229,7 +19718,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -229,11 +235,13 @@
+@@ -221,19 +231,17 @@
+ 
+ dev_read_urand(mail_munin_plugin_t)
+ 
+-files_read_etc_files(mail_munin_plugin_t)
+-
+-fs_getattr_all_fs(mail_munin_plugin_t)
+-
+ logging_read_generic_logs(mail_munin_plugin_t)
  
  mta_read_config(mail_munin_plugin_t)
  mta_send_mail(mail_munin_plugin_t)
@@ -19243,16 +19740,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ')
  
  optional_policy(`
-@@ -249,6 +257,8 @@
- allow services_munin_plugin_t self:udp_socket create_socket_perms;
- allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -255,10 +263,6 @@
+ dev_read_urand(services_munin_plugin_t)
+ dev_read_rand(services_munin_plugin_t)
  
-+corecmd_exec_shell(services_munin_plugin_t)
-+
- corenet_tcp_connect_all_ports(services_munin_plugin_t)
- corenet_tcp_connect_http_port(services_munin_plugin_t)
+-fs_getattr_all_fs(services_munin_plugin_t)
+-
+-files_read_etc_files(services_munin_plugin_t)
+-
+ sysnet_read_config(services_munin_plugin_t)
  
-@@ -286,6 +296,10 @@
+ optional_policy(`
+@@ -286,6 +290,10 @@
  	snmp_read_snmp_var_lib_files(services_munin_plugin_t)
  ')
  
@@ -19263,24 +19762,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ##################################
  #
  # local policy for system plugins
-@@ -300,6 +314,8 @@
- 
- corecmd_exec_shell(system_munin_plugin_t)
- 
-+files_read_etc_files(system_munin_plugin_t)
-+
- fs_getattr_all_fs(system_munin_plugin_t)
+@@ -298,10 +306,6 @@
+ kernel_read_network_state(system_munin_plugin_t)
+ kernel_read_all_sysctls(system_munin_plugin_t)
  
+-corecmd_exec_shell(system_munin_plugin_t)
+-
+-fs_getattr_all_fs(system_munin_plugin_t)
+-
  dev_read_sysfs(system_munin_plugin_t)
-@@ -313,3 +329,5 @@
+ dev_read_urand(system_munin_plugin_t)
+ 
+@@ -313,3 +317,29 @@
  sysnet_exec_ifconfig(system_munin_plugin_t)
  
  term_getattr_unallocated_ttys(system_munin_plugin_t)
 +term_getattr_all_ptys(system_munin_plugin_t)
 +
++################################
++#
++# local policy for munin plugin domains
++#
++
++allow munin_plugin_domain munin_exec_t:file read_file_perms;
++allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
++
++# creates plugin state files
++manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
++
++read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
++
++kernel_read_system_state(munin_plugin_domain)
++
++corecmd_exec_bin(munin_plugin_domain)
++corecmd_exec_shell(munin_plugin_domain)
++
++files_read_etc_files(munin_plugin_domain)
++files_read_usr_files(munin_plugin_domain)
++
++fs_getattr_all_fs(munin_plugin_domain)
++
++miscfiles_read_localization(munin_plugin_domain)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.8.8/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mysql.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mysql.te	2010-07-30 14:06:53.000000000 -0400
 @@ -64,6 +64,7 @@
  
  manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -19319,7 +19844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  files_dontaudit_getattr_all_dirs(mysqld_safe_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.8.8/policy/modules/services/nagios.if
 --- nsaserefpolicy/policy/modules/services/nagios.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nagios.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nagios.if	2010-07-30 14:06:53.000000000 -0400
 @@ -159,6 +159,26 @@
  
  ########################################
@@ -19349,7 +19874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.8.8/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nagios.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nagios.te	2010-07-30 14:06:53.000000000 -0400
 @@ -107,13 +107,11 @@
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -19385,7 +19910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.8.8/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/networkmanager.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -2,6 +2,10 @@
  
  /etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -19399,7 +19924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  /sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.8.8/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/networkmanager.if	2010-07-30 14:06:53.000000000 -0400
 @@ -137,6 +137,27 @@
  
  ########################################
@@ -19481,7 +20006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/networkmanager.te	2010-07-30 14:06:53.000000000 -0400
 @@ -35,7 +35,7 @@
  
  # networkmanager will ptrace itself if gdb is installed
@@ -19574,7 +20099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.8/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nis.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nis.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,5 +1,5 @@
  /etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/yppasswd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
@@ -19592,7 +20117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  /var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.8.8/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nis.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nis.if	2010-08-05 14:51:55.000000000 -0400
 @@ -19,7 +19,7 @@
  ## </desc>
  ## <param name="domain">
@@ -19602,9 +20127,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  ##	</summary>
  ## </param>
  #
+@@ -49,12 +49,12 @@
+ 	corenet_udp_bind_generic_node($1)
+ 	corenet_tcp_bind_generic_port($1)
+ 	corenet_udp_bind_generic_port($1)
+-	corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+-	corenet_dontaudit_udp_bind_all_reserved_ports($1)
++	corenet_tcp_bind_all_rpc_ports($1)
++	corenet_udp_bind_all_rpc_ports($1)
+ 	corenet_dontaudit_tcp_bind_all_ports($1)
+ 	corenet_dontaudit_udp_bind_all_ports($1)
+ 	corenet_tcp_connect_portmap_port($1)
+-	corenet_tcp_connect_reserved_port($1)
++	corenet_tcp_connect_all_reserved_ports($1)
+ 	corenet_tcp_connect_generic_port($1)
+ 	corenet_dontaudit_tcp_connect_all_ports($1)
+ 	corenet_sendrecv_portmap_client_packets($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.8.8/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nscd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nscd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -60,7 +60,7 @@
  ## </summary>
  ## <param name="domain">
@@ -19650,7 +20191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.8.8/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nscd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nscd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -1,9 +1,16 @@
 -policy_module(nscd, 1.10.0)
 +policy_module(nscd, 1.10.1)
@@ -19728,7 +20269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.8.8/policy/modules/services/nslcd.if
 --- nsaserefpolicy/policy/modules/services/nslcd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nslcd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nslcd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,7 @@
  ## </summary>
  ## <param name="domain">
@@ -19740,7 +20281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.8.8/policy/modules/services/nslcd.te
 --- nsaserefpolicy/policy/modules/services/nslcd.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nslcd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nslcd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -34,6 +34,8 @@
  manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
  files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
@@ -19752,7 +20293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc
  auth_use_nsswitch(nslcd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.8.8/policy/modules/services/ntp.if
 --- nsaserefpolicy/policy/modules/services/ntp.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ntp.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ntp.if	2010-07-30 14:06:53.000000000 -0400
 @@ -22,7 +22,7 @@
  ## </summary>
  ## <param name="domain">
@@ -19791,7 +20332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.8.8/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ntp.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ntp.te	2010-07-30 14:06:53.000000000 -0400
 @@ -96,9 +96,12 @@
  dev_read_sysfs(ntpd_t)
  # for SSP
@@ -19807,7 +20348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.8/policy/modules/services/nut.te
 --- nsaserefpolicy/policy/modules/services/nut.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nut.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nut.te	2010-07-30 14:06:53.000000000 -0400
 @@ -41,7 +41,7 @@
  manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
  manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
@@ -19830,7 +20371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
  # Local policy for upsdrvctl
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.8.8/policy/modules/services/nx.if
 --- nsaserefpolicy/policy/modules/services/nx.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nx.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nx.if	2010-07-30 14:06:53.000000000 -0400
 @@ -35,6 +35,7 @@
  
  	allow $1 nx_server_var_lib_t:dir search_dir_perms;
@@ -19841,7 +20382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.8.8/policy/modules/services/nx.te
 --- nsaserefpolicy/policy/modules/services/nx.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nx.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nx.te	2010-07-30 14:06:53.000000000 -0400
 @@ -27,6 +27,9 @@
  type nx_server_var_run_t;
  files_pid_file(nx_server_var_run_t)
@@ -19864,7 +20405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.8.8/policy/modules/services/oddjob.fc
 --- nsaserefpolicy/policy/modules/services/oddjob.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oddjob.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/oddjob.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,5 @@
  /usr/lib(64)?/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
 +/usr/libexec/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
@@ -19873,8 +20414,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.8.8/policy/modules/services/oddjob.if
 --- nsaserefpolicy/policy/modules/services/oddjob.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oddjob.if	2010-07-27 16:12:03.000000000 -0400
-@@ -44,6 +44,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/oddjob.if	2010-08-10 05:23:35.000000000 -0400
+@@ -22,6 +22,25 @@
+ 	domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+ ')
+ 
++#####################################
++## <summary>
++##      Do not audit attempts to read and write 
++##      oddjob fifo file.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`oddjob_dontaudit_rw_fifo_file',`
++        gen_require(`
++                type shutdown_t;
++        ')
++
++        dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Make the specified program domain accessable
+@@ -44,6 +63,7 @@
  	')
  
  	domtrans_pattern(oddjob_t, $2, $1)
@@ -19882,9 +20449,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
  ')
  
  ########################################
+@@ -67,6 +87,24 @@
+ 	allow oddjob_t $1:dbus send_msg;
+ ')
+ 
++######################################
++## <summary>
++##      Send a SIGCHLD signal to oddjob.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`oddjob_sigchld',`
++        gen_require(`
++                type oddjob_t;
++        ')
++
++        allow $1 oddjob_t:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute a domain transition to run oddjob_mkhomedir.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.8.8/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oddjob.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/oddjob.te	2010-07-30 14:06:53.000000000 -0400
 @@ -99,8 +99,7 @@
  
  # Add/remove user home directories
@@ -19898,7 +20490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oident.te serefpolicy-3.8.8/policy/modules/services/oident.te
 --- nsaserefpolicy/policy/modules/services/oident.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oident.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/oident.te	2010-07-30 14:06:53.000000000 -0400
 @@ -48,6 +48,7 @@
  kernel_read_network_state(oidentd_t)
  kernel_read_network_state_symlinks(oidentd_t)
@@ -19909,7 +20501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.8.8/policy/modules/services/openct.te
 --- nsaserefpolicy/policy/modules/services/openct.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/openct.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/openct.te	2010-07-30 14:06:53.000000000 -0400
 @@ -20,9 +20,10 @@
  dontaudit openct_t self:capability sys_tty_config;
  allow openct_t self:process signal_perms;
@@ -19924,7 +20516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
  kernel_list_proc(openct_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/openvpn.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/openvpn.te	2010-07-30 14:06:53.000000000 -0400
 @@ -24,6 +24,9 @@
  type openvpn_etc_rw_t;
  files_config_file(openvpn_etc_rw_t)
@@ -19957,9 +20549,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
  
  tunable_policy(`openvpn_enable_homedirs',`
  	userdom_read_user_home_content_files(openvpn_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.8.8/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te	2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pcscd.te	2010-08-04 14:25:34.000000000 -0400
+@@ -44,7 +44,8 @@
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
+ dev_rw_usbfs(pcscd_t)
+-dev_search_sysfs(pcscd_t)
++dev_list_sysfs(pcscd_t)
++dev_read_sysfs(pcscd_t)
+ 
+ files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.8.8/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pegasus.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pegasus.te	2010-07-30 14:06:53.000000000 -0400
 @@ -29,7 +29,7 @@
  # Local policy
  #
@@ -20043,7 +20648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/perdition.if serefpolicy-3.8.8/policy/modules/services/perdition.if
 --- nsaserefpolicy/policy/modules/services/perdition.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/perdition.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/perdition.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -20055,8 +20660,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/perd
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.8.8/policy/modules/services/piranha.fc
 --- nsaserefpolicy/policy/modules/services/piranha.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.fc	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,21 @@
++++ serefpolicy-3.8.8/policy/modules/services/piranha.fc	2010-08-04 13:10:54.000000000 -0400
+@@ -0,0 +1,26 @@
 +
 +/etc/rc\.d/init\.d/pulse	--	gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
 +
@@ -20065,11 +20670,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +
 +/etc/piranha/lvs\.cf		--	gen_context(system_u:object_r:piranha_etc_rw_t,s0)
 +
++/usr/bin/paster         --      gen_context(system_u:object_r:piranha_web_exec_t,s0)
++
 +/usr/sbin/fos               --  gen_context(system_u:object_r:piranha_fos_exec_t,s0)
 +/usr/sbin/lvsd				--	gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
 +/usr/sbin/piranha_gui		--	gen_context(system_u:object_r:piranha_web_exec_t,s0)
 +/usr/sbin/pulse       		--  gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
 +
++/var/lib/luci(/.*)?             gen_context(system_u:object_r:piranha_web_data_t,s0)
++/var/lib/luci/cert(/.*)?        gen_context(system_u:object_r:piranha_web_conf_t,s0)
++/var/lib/luci/etc(/.*)?         gen_context(system_u:object_r:piranha_web_conf_t,s0)
++
 +/var/log/piranha(/.*)?			gen_context(system_u:object_r:piranha_log_t,s0)
 +
 +/var/run/fos\.pid           --  gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
@@ -20077,10 +20688,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +/var/run/piranha-httpd\.pid --	gen_context(system_u:object_r:piranha_web_var_run_t,s0)
 +/var/run/pulse\.pid         --  gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
 +
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.if serefpolicy-3.8.8/policy/modules/services/piranha.if
 --- nsaserefpolicy/policy/modules/services/piranha.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/piranha.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,175 @@
 +
 +## <summary>policy for piranha</summary>
@@ -20259,8 +20869,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.8/policy/modules/services/piranha.te
 --- nsaserefpolicy/policy/modules/services/piranha.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.te	2010-07-27 16:12:03.000000000 -0400
-@@ -0,0 +1,188 @@
++++ serefpolicy-3.8.8/policy/modules/services/piranha.te	2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,216 @@
 +policy_module(piranha,1.0.0)
 +
 +########################################
@@ -20291,6 +20901,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +type piranha_web_tmpfs_t;
 +files_tmpfs_file(piranha_web_tmpfs_t)
 +
++type piranha_web_conf_t;
++files_type(piranha_web_conf_t)
++
++type piranha_web_data_t;
++files_type(piranha_web_data_t)
++
++type piranha_web_tmp_t;
++files_tmp_file(piranha_web_tmp_t)
++
 +type piranha_etc_rw_t;
 +files_type(piranha_etc_rw_t)
 +
@@ -20317,19 +20936,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +#
 +
 +allow piranha_web_t self:capability { setuid sys_nice kill setgid };
-+allow piranha_web_t self:process { getsched setsched signal ptrace };
++allow piranha_web_t self:process { getsched setsched signal signull ptrace };
 +allow piranha_web_t self:rawip_socket create_socket_perms;
 +
 +allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
 +allow piranha_web_t self:sem create_sem_perms;
 +allow piranha_web_t self:shm create_shm_perms;
 +
++manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
++
++read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++
 +rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
 +
 +manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
 +manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
 +logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
 +
++can_exec(piranha_web_t, piranha_web_tmp_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
++
 +manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
 +manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
 +fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
@@ -20338,7 +20968,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +
 +kernel_read_kernel_sysctls(piranha_web_t)
 +
++corenet_tcp_bind_http_cache_port(piranha_web_t)
++corenet_tcp_bind_luci_port(piranha_web_t)
 +corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_connect_ricci_port(piranha_web_t)
 +
 +dev_read_urand(piranha_web_t)
 +
@@ -20349,10 +20982,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +consoletype_exec(piranha_web_t)
 +
 +optional_policy(`
++	apache_read_config(piranha_web_t)
 +	apache_exec_modules(piranha_web_t)
 +	apache_exec(piranha_web_t)
 +')
 +
++optional_policy(`
++        sasl_connect(piranha_web_t)
++')
++
 +######################################
 +#
 +# piranha-lvs local policy
@@ -20451,7 +21089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +sysnet_read_config(piranha_domain)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.8.8/policy/modules/services/plymouthd.te
 --- nsaserefpolicy/policy/modules/services/plymouthd.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -60,10 +60,14 @@
  files_read_etc_files(plymouthd_t)
  files_read_usr_files(plymouthd_t)
@@ -20477,7 +21115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.8.8/policy/modules/services/policykit.fc
 --- nsaserefpolicy/policy/modules/services/policykit.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -6,10 +6,13 @@
  /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
  /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -20495,7 +21133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.8.8/policy/modules/services/policykit.if
 --- nsaserefpolicy/policy/modules/services/policykit.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.if	2010-07-30 14:06:53.000000000 -0400
 @@ -17,12 +17,37 @@
  		class dbus send_msg;
  	')
@@ -20594,7 +21232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.te	2010-08-10 11:37:04.000000000 -0400
 @@ -24,6 +24,9 @@
  type policykit_reload_t alias polkit_reload_t;
  files_type(policykit_reload_t)
@@ -20639,7 +21277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
  auth_use_nsswitch(policykit_t)
  
-@@ -67,45 +77,82 @@
+@@ -67,45 +77,84 @@
  
  miscfiles_read_localization(policykit_t)
  
@@ -20681,6 +21319,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
 +policykit_dbus_chat(policykit_auth_t)
 +
++kernel_read_system_state(policykit_auth_t)
++
  can_exec(policykit_auth_t, policykit_auth_exec_t)
 -corecmd_search_bin(policykit_auth_t)
 +corecmd_exec_bin(policykit_auth_t)
@@ -20728,7 +21368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -118,6 +165,14 @@
+@@ -118,6 +167,14 @@
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -20743,7 +21383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  ########################################
  #
  # polkit_grant local policy
-@@ -125,7 +180,8 @@
+@@ -125,7 +182,8 @@
  
  allow policykit_grant_t self:capability setuid;
  allow policykit_grant_t self:process getattr;
@@ -20753,7 +21393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -155,9 +211,12 @@
+@@ -155,9 +213,12 @@
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -20767,7 +21407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -169,7 +228,8 @@
+@@ -169,7 +230,8 @@
  
  allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
  allow policykit_resolve_t self:process getattr;
@@ -20779,7 +21419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.if serefpolicy-3.8.8/policy/modules/services/portmap.if
 --- nsaserefpolicy/policy/modules/services/portmap.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portmap.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portmap.if	2010-07-30 14:06:53.000000000 -0400
 @@ -52,7 +52,7 @@
  ## </summary>
  ## <param name="domain">
@@ -20800,7 +21440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.8.8/policy/modules/services/portreserve.fc
 --- nsaserefpolicy/policy/modules/services/portreserve.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portreserve.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portreserve.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,6 @@
 +
 +/etc/rc\.d/init\.d/portreserve    --  gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
@@ -20810,7 +21450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
  /sbin/portreserve		--	gen_context(system_u:object_r:portreserve_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.8.8/policy/modules/services/portreserve.if
 --- nsaserefpolicy/policy/modules/services/portreserve.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portreserve.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portreserve.if	2010-07-30 14:06:53.000000000 -0400
 @@ -18,6 +18,24 @@
  	domtrans_pattern($1, portreserve_exec_t, portreserve_t)
  ')
@@ -20879,7 +21519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.8.8/policy/modules/services/portreserve.te
 --- nsaserefpolicy/policy/modules/services/portreserve.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/portreserve.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/portreserve.te	2010-07-30 14:06:53.000000000 -0400
 @@ -9,6 +9,9 @@
  type portreserve_exec_t;
  init_daemon_domain(portreserve_t, portreserve_exec_t)
@@ -20907,7 +21547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
 +userdom_dontaudit_search_user_home_content(portreserve_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.8.8/policy/modules/services/postfix.fc
 --- nsaserefpolicy/policy/modules/services/postfix.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,5 @@
  # postfix
 +/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
@@ -20929,7 +21569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.8.8/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.if	2010-07-30 14:06:53.000000000 -0400
 @@ -376,6 +376,25 @@
  	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
  ')
@@ -21140,7 +21780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.te	2010-07-30 14:06:53.000000000 -0400
 @@ -5,6 +5,15 @@
  # Declarations
  #
@@ -21224,7 +21864,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  files_type(postfix_spool_flush_t)
  
  type postfix_public_t;
-@@ -150,6 +172,9 @@
+@@ -99,7 +121,9 @@
+ allow postfix_master_t self:udp_socket create_socket_perms;
+ allow postfix_master_t self:process setrlimit;
+ 
++allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+ allow postfix_master_t postfix_etc_t:file rw_file_perms;
++mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+ 
+ can_exec(postfix_master_t, postfix_exec_t)
+ 
+@@ -150,6 +174,9 @@
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -21234,7 +21884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  corenet_tcp_bind_generic_node(postfix_master_t)
  corenet_tcp_bind_amavisd_send_port(postfix_master_t)
  corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +192,8 @@
+@@ -167,6 +194,8 @@
  domain_use_interactive_fds(postfix_master_t)
  
  files_read_usr_files(postfix_master_t)
@@ -21243,7 +21893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -304,9 +331,17 @@
+@@ -304,9 +333,17 @@
  ')
  
  optional_policy(`
@@ -21261,7 +21911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix map local policy
-@@ -420,6 +455,7 @@
+@@ -420,6 +457,7 @@
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -21269,7 +21919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  optional_policy(`
-@@ -588,6 +624,11 @@
+@@ -588,6 +626,11 @@
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -21281,7 +21931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  mta_read_aliases(postfix_smtpd_t)
  
  optional_policy(`
-@@ -630,3 +671,8 @@
+@@ -630,3 +673,8 @@
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -21292,7 +21942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.8.8/policy/modules/services/postgresql.if
 --- nsaserefpolicy/policy/modules/services/postgresql.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postgresql.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postgresql.if	2010-07-30 14:06:53.000000000 -0400
 @@ -223,7 +223,7 @@
  ## </summary>
  ## <param name="domain">
@@ -21304,7 +21954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.8.8/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postgresql.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postgresql.te	2010-07-30 14:06:53.000000000 -0400
 @@ -202,9 +202,10 @@
  files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
  fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -21319,7 +21969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  kernel_read_system_state(postgresql_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.8.8/policy/modules/services/postgrey.te
 --- nsaserefpolicy/policy/modules/services/postgrey.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postgrey.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postgrey.te	2010-07-30 14:06:53.000000000 -0400
 @@ -47,9 +47,10 @@
  manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
  files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
@@ -21334,7 +21984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  kernel_read_kernel_sysctls(postgrey_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.8.8/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ppp.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ppp.if	2010-07-30 14:06:53.000000000 -0400
 @@ -326,7 +326,7 @@
  ## </summary>
  ## <param name="domain">
@@ -21346,7 +21996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.8.8/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ppp.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ppp.te	2010-07-30 14:06:53.000000000 -0400
 @@ -70,7 +70,7 @@
  # PPPD Local policy
  #
@@ -21390,7 +22040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  kernel_read_kernel_sysctls(pptp_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.8.8/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/prelude.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/prelude.te	2010-07-30 14:06:53.000000000 -0400
 @@ -72,9 +72,10 @@
  manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
  files_search_var_lib(prelude_t)
@@ -21405,7 +22055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  kernel_read_sysctl(prelude_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.8.8/policy/modules/services/procmail.fc
 --- nsaserefpolicy/policy/modules/services/procmail.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/procmail.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/procmail.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,5 @@
 +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
 +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
@@ -21414,7 +22064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.8.8/policy/modules/services/procmail.if
 --- nsaserefpolicy/policy/modules/services/procmail.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/procmail.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/procmail.if	2010-07-30 14:06:53.000000000 -0400
 @@ -77,3 +77,23 @@
  	files_search_tmp($1)
  	rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
@@ -21441,7 +22091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.8.8/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/procmail.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/procmail.te	2010-07-30 14:06:53.000000000 -0400
 @@ -10,6 +10,9 @@
  application_domain(procmail_t, procmail_exec_t)
  role system_r types procmail_t;
@@ -21492,7 +22142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.8.8/policy/modules/services/psad.if
 --- nsaserefpolicy/policy/modules/services/psad.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/psad.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/psad.if	2010-07-30 14:06:53.000000000 -0400
 @@ -176,6 +176,26 @@
  
  ########################################
@@ -21531,7 +22181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
  	allow $1 psad_t:process { ptrace signal_perms };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.8/policy/modules/services/psad.te
 --- nsaserefpolicy/policy/modules/services/psad.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/psad.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/psad.te	2010-07-30 14:06:53.000000000 -0400
 @@ -53,9 +53,10 @@
  logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
  
@@ -21554,7 +22204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.8.8/policy/modules/services/puppet.te
 --- nsaserefpolicy/policy/modules/services/puppet.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/puppet.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/puppet.te	2010-07-30 14:06:53.000000000 -0400
 @@ -63,7 +63,7 @@
  manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
  files_search_var_lib(puppet_t)
@@ -21613,7 +22263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.8.8/policy/modules/services/pyzor.fc
 --- nsaserefpolicy/policy/modules/services/pyzor.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pyzor.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pyzor.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,6 +1,10 @@
  /etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
 +/etc/rc\.d/init\.d/pyzord	--	gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -21627,7 +22277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
  /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.8.8/policy/modules/services/pyzor.if
 --- nsaserefpolicy/policy/modules/services/pyzor.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pyzor.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pyzor.if	2010-07-30 14:06:53.000000000 -0400
 @@ -88,3 +88,50 @@
  	corecmd_search_bin($1)
  	can_exec($1, pyzor_exec_t)
@@ -21681,7 +22331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.8.8/policy/modules/services/pyzor.te
 --- nsaserefpolicy/policy/modules/services/pyzor.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pyzor.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pyzor.te	2010-07-30 14:06:53.000000000 -0400
 @@ -5,6 +5,38 @@
  # Declarations
  #
@@ -21748,7 +22398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.8.8/policy/modules/services/qpidd.fc
 --- nsaserefpolicy/policy/modules/services/qpidd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/qpidd.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/qpidd.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,9 @@
 +
 +/usr/sbin/qpidd	--	gen_context(system_u:object_r:qpidd_exec_t,s0)
@@ -21761,7 +22411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
 +/var/run/qpidd\.pid			gen_context(system_u:object_r:qpidd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.8.8/policy/modules/services/qpidd.if
 --- nsaserefpolicy/policy/modules/services/qpidd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/qpidd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/qpidd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,236 @@
 +
 +## <summary>policy for qpidd</summary>
@@ -22001,7 +22651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.8.8/policy/modules/services/qpidd.te
 --- nsaserefpolicy/policy/modules/services/qpidd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/qpidd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/qpidd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,59 @@
 +policy_module(qpidd,1.0.0)
 +
@@ -22064,7 +22714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
 +sysnet_dns_name_resolve(qpidd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.8.8/policy/modules/services/radius.te
 --- nsaserefpolicy/policy/modules/services/radius.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/radius.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/radius.te	2010-07-30 14:06:53.000000000 -0400
 @@ -36,7 +36,7 @@
  # gzip also needs chown access to preserve GID for radwtmp files
  allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
@@ -22087,7 +22737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
  kernel_read_system_state(radiusd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.8.8/policy/modules/services/radvd.te
 --- nsaserefpolicy/policy/modules/services/radvd.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/radvd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/radvd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -33,8 +33,9 @@
  
  allow radvd_t radvd_etc_t:file read_file_perms;
@@ -22101,7 +22751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv
  kernel_rw_net_sysctls(radvd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.8.8/policy/modules/services/razor.fc
 --- nsaserefpolicy/policy/modules/services/razor.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/razor.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/razor.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,4 @@
 +/root/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
  HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
@@ -22109,7 +22759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
  /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.8.8/policy/modules/services/razor.if
 --- nsaserefpolicy/policy/modules/services/razor.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/razor.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/razor.if	2010-07-30 14:06:53.000000000 -0400
 @@ -157,3 +157,45 @@
  
  	domtrans_pattern($1, razor_exec_t, razor_t)
@@ -22158,7 +22808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.8.8/policy/modules/services/razor.te
 --- nsaserefpolicy/policy/modules/services/razor.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/razor.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/razor.te	2010-07-30 14:06:53.000000000 -0400
 @@ -5,6 +5,32 @@
  # Declarations
  #
@@ -22220,7 +22870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.8.8/policy/modules/services/remotelogin.if
 --- nsaserefpolicy/policy/modules/services/remotelogin.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/remotelogin.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/remotelogin.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -22241,7 +22891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.8.8/policy/modules/services/rgmanager.fc
 --- nsaserefpolicy/policy/modules/services/rgmanager.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,5 @@
 +/etc/rc\.d/init\.d/rgmanager          --  gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
 +
@@ -22250,7 +22900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
  /var/log/cluster/rgmanager\.log		--	gen_context(system_u:object_r:rgmanager_var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.8.8/policy/modules/services/rgmanager.if
 --- nsaserefpolicy/policy/modules/services/rgmanager.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.if	2010-07-30 14:06:53.000000000 -0400
 @@ -75,3 +75,64 @@
  	fs_search_tmpfs($1)
  	manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
@@ -22318,7 +22968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.8/policy/modules/services/rgmanager.te
 --- nsaserefpolicy/policy/modules/services/rgmanager.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te	2010-07-30 14:06:53.000000000 -0400
 @@ -17,6 +17,9 @@
  domain_type(rgmanager_t)
  init_daemon_domain(rgmanager_t, rgmanager_exec_t)
@@ -22378,9 +23028,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
  	mysql_domtrans_mysql_safe(rgmanager_t)
  	mysql_stream_connect(rgmanager_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc
+--- nsaserefpolicy/policy/modules/services/rhcs.fc	2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc	2010-08-10 11:56:57.000000000 -0400
+@@ -1,6 +1,7 @@
+ /usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+ /usr/sbin/fenced			--	gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/fence_node			--	gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_tool                    --      gen_context(system_u:object_r:fenced_exec_t,s0) 
+ /usr/sbin/gfs_controld			--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+ /usr/sbin/groupd			--	gen_context(system_u:object_r:groupd_exec_t,s0)
+ /usr/sbin/qdiskd			--	gen_context(system_u:object_r:qdiskd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.8/policy/modules/services/rhcs.if
 --- nsaserefpolicy/policy/modules/services/rhcs.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rhcs.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhcs.if	2010-07-30 14:06:53.000000000 -0400
 @@ -14,6 +14,8 @@
  template(`rhcs_domain_template',`
  	gen_require(`
@@ -22498,7 +23159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.8/policy/modules/services/rhcs.te
 --- nsaserefpolicy/policy/modules/services/rhcs.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rhcs.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhcs.te	2010-07-30 14:06:53.000000000 -0400
 @@ -13,6 +13,8 @@
  gen_tunable(fenced_can_network_connect, false)
  
@@ -22589,7 +23250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.8.8/policy/modules/services/rhgb.if
 --- nsaserefpolicy/policy/modules/services/rhgb.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rhgb.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhgb.if	2010-08-03 15:21:15.000000000 -0400
 @@ -22,7 +22,7 @@
  ## </summary>
  ## <param name="domain">
@@ -22646,7 +23307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.8.8/policy/modules/services/ricci.fc
 --- nsaserefpolicy/policy/modules/services/ricci.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,6 @@
 +
 +/etc/rc\.d/init\.d/ricci    --  gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
@@ -22656,7 +23317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  /usr/libexec/ricci-modrpm	--	gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.8.8/policy/modules/services/ricci.if
 --- nsaserefpolicy/policy/modules/services/ricci.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.if	2010-08-10 05:23:35.000000000 -0400
 @@ -18,6 +18,24 @@
  	domtrans_pattern($1, ricci_exec_t, ricci_t)
  ')
@@ -22682,11 +23343,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  ########################################
  ## <summary>
  ##	Execute a domain transition to run ricci_modcluster.
-@@ -165,3 +183,48 @@
+@@ -96,6 +114,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Read and write to ricci_modcluserd temporary file system.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ricci_rw_modclusterd_tmpfs_files',`
++	gen_require(`
++		type ricci_modcluserd_tmpfs_t;
++	')
++
++	allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Execute a domain transition to run ricci_modlog.
+ ## </summary>
+ ## <param name="domain">
+@@ -165,3 +201,67 @@
  
  	domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
  ')
 +
++####################################
++## <summary>
++##      Allow the specified domain to manage ricci's lib files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`ricci_manage_lib_files',`
++    gen_require(`
++        type ricci_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++    manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++')
 +
 +########################################
 +## <summary>
@@ -22733,7 +23438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.te	2010-08-10 05:23:35.000000000 -0400
 @@ -10,6 +10,9 @@
  domain_type(ricci_t)
  init_daemon_domain(ricci_t, ricci_exec_t)
@@ -22744,7 +23449,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  type ricci_tmp_t;
  files_tmp_file(ricci_tmp_t)
  
-@@ -241,6 +244,10 @@
+@@ -42,6 +45,9 @@
+ domain_type(ricci_modclusterd_t)
+ init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+ 
++type ricci_modclusterd_tmpfs_t;
++files_tmpfs_file(ricci_modclusterd_tmpfs_t)
++
+ type ricci_modlog_t;
+ type ricci_modlog_exec_t;
+ domain_type(ricci_modlog_t)
+@@ -105,6 +111,7 @@
+ files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+ 
+ kernel_read_kernel_sysctls(ricci_t)
++kernel_read_system_state(ricci_t)
+ 
+ corecmd_exec_bin(ricci_t)
+ 
+@@ -170,6 +177,10 @@
+ ')
+ 
+ optional_policy(`
++	shutdown_domtrans(ricci_t)
++')
++
++optional_policy(`
+ 	unconfined_use_fds(ricci_t)
+ ')
+ 
+@@ -241,6 +252,10 @@
  ')
  
  optional_policy(`
@@ -22755,7 +23489,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  	# XXX This has got to go.
  	unconfined_domain(ricci_modcluster_t)
  ')
-@@ -444,6 +451,12 @@
+@@ -261,6 +276,10 @@
+ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+ allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+ 
++manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
++
+ allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+ manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+ manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+@@ -272,6 +291,7 @@
+ 
+ kernel_read_kernel_sysctls(ricci_modclusterd_t)
+ kernel_read_system_state(ricci_modclusterd_t)
++kernel_request_load_module(ricci_modclusterd_t)
+ 
+ corecmd_exec_bin(ricci_modclusterd_t)
+ 
+@@ -444,6 +464,12 @@
  files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
  
@@ -22770,7 +23523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  term_dontaudit_use_console(ricci_modstorage_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.8.8/policy/modules/services/rlogin.fc
 --- nsaserefpolicy/policy/modules/services/rlogin.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rlogin.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rlogin.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,7 @@
  HOME_DIR/\.rlogin		--	gen_context(system_u:object_r:rlogind_home_t,s0)
 +HOME_DIR/\.rhosts		--	gen_context(system_u:object_r:rlogind_home_t,s0)
@@ -22781,7 +23534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.8.8/policy/modules/services/rlogin.if
 --- nsaserefpolicy/policy/modules/services/rlogin.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rlogin.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rlogin.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -22793,7 +23546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.8.8/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rlogin.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rlogin.te	2010-07-30 14:06:53.000000000 -0400
 @@ -43,7 +43,6 @@
  
  manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -22814,7 +23567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
  remotelogin_signal(rlogind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.8.8/policy/modules/services/rpcbind.if
 --- nsaserefpolicy/policy/modules/services/rpcbind.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if	2010-07-30 14:06:53.000000000 -0400
 @@ -141,7 +141,7 @@
  	allow $1 rpcbind_t:process { ptrace signal_perms };
  	ps_process_pattern($1, rpcbind_t)
@@ -22826,7 +23579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
  	allow $2 system_r;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.8.8/policy/modules/services/rpcbind.te
 --- nsaserefpolicy/policy/modules/services/rpcbind.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpcbind.te	2010-07-30 14:06:53.000000000 -0400
 @@ -71,3 +71,7 @@
  ifdef(`hide_broken_symptoms',`
  	dontaudit rpcbind_t self:udp_socket listen;
@@ -22837,7 +23590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.8/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpc.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpc.if	2010-07-30 14:06:53.000000000 -0400
 @@ -128,7 +128,7 @@
  ## </summary>
  ## <param name="domain">
@@ -22927,7 +23680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.8.8/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rpc.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rpc.te	2010-07-30 14:06:53.000000000 -0400
 @@ -63,8 +63,9 @@
  allow rpcd_t self:fifo_file rw_fifo_file_perms;
  
@@ -22993,7 +23746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.if serefpolicy-3.8.8/policy/modules/services/rshd.if
 --- nsaserefpolicy/policy/modules/services/rshd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rshd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rshd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -23005,7 +23758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.8.8/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rshd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rshd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -66,6 +66,7 @@
  seutil_read_default_contexts(rshd_t)
  
@@ -23016,7 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
  	fs_read_nfs_files(rshd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.8.8/policy/modules/services/rsync.if
 --- nsaserefpolicy/policy/modules/services/rsync.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rsync.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rsync.if	2010-07-30 14:06:53.000000000 -0400
 @@ -119,7 +119,7 @@
  		type rsync_etc_t;
  	')
@@ -23079,7 +23832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.8.8/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rsync.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rsync.te	2010-07-30 14:06:53.000000000 -0400
 @@ -7,6 +7,13 @@
  
  ## <desc>
@@ -23141,7 +23894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
  auth_can_read_shadow_passwords(rsync_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.8.8/policy/modules/services/rtkit.if
 --- nsaserefpolicy/policy/modules/services/rtkit.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rtkit.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rtkit.if	2010-07-30 14:06:53.000000000 -0400
 @@ -41,6 +41,27 @@
  
  ########################################
@@ -23172,7 +23925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.8.8/policy/modules/services/rtkit.te
 --- nsaserefpolicy/policy/modules/services/rtkit.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rtkit.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rtkit.te	2010-07-30 14:06:53.000000000 -0400
 @@ -8,6 +8,7 @@
  type rtkit_daemon_t;
  type rtkit_daemon_exec_t;
@@ -23183,7 +23936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.8.8/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -51,3 +51,7 @@
  /var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
  
@@ -23194,7 +23947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.8.8/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.if	2010-07-30 14:06:53.000000000 -0400
 @@ -10,7 +10,7 @@
  ## </summary>
  ## <param name="domain">
@@ -23449,7 +24202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.te	2010-07-30 14:06:53.000000000 -0400
 @@ -152,9 +152,6 @@
  type winbind_log_t;
  logging_log_file(winbind_log_t)
@@ -23627,7 +24380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.8.8/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sasl.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sasl.te	2010-07-30 14:06:53.000000000 -0400
 @@ -42,13 +42,17 @@
  manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
  files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
@@ -23649,7 +24402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
  corenet_tcp_sendrecv_generic_if(saslauthd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.8.8/policy/modules/services/sendmail.fc
 --- nsaserefpolicy/policy/modules/services/sendmail.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sendmail.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sendmail.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,6 @@
  
 +/etc/rc\.d/init\.d/sendmail --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
@@ -23659,7 +24412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.8.8/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sendmail.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sendmail.if	2010-07-30 14:06:53.000000000 -0400
 @@ -57,6 +57,24 @@
  	allow sendmail_t $1:process sigchld;
  ')
@@ -23738,7 +24491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.8.8/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sendmail.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sendmail.te	2010-07-30 14:06:53.000000000 -0400
 @@ -19,6 +19,9 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -23803,7 +24556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if	2010-07-30 14:06:53.000000000 -0400
 @@ -105,6 +105,25 @@
  
  ########################################
@@ -23850,7 +24603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  	admin_pattern($1, setroubleshoot_var_lib_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te	2010-07-30 14:06:53.000000000 -0400
 @@ -32,6 +32,8 @@
  
  allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
@@ -23914,7 +24667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  	rpm_read_db(setroubleshoot_fixit_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.8.8/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/smartmon.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/smartmon.te	2010-08-05 14:48:00.000000000 -0400
 @@ -82,6 +82,8 @@
  storage_raw_read_fixed_disk(fsdaemon_t)
  storage_raw_write_fixed_disk(fsdaemon_t)
@@ -23926,7 +24679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.8.8/policy/modules/services/smokeping.te
 --- nsaserefpolicy/policy/modules/services/smokeping.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/smokeping.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/smokeping.te	2010-07-30 14:06:53.000000000 -0400
 @@ -23,6 +23,7 @@
  # smokeping local policy
  #
@@ -23945,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.8.8/policy/modules/services/snmp.fc
 --- nsaserefpolicy/policy/modules/services/snmp.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/snmp.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/snmp.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -18,7 +18,7 @@
  
  /var/log/snmpd\.log	--	gen_context(system_u:object_r:snmpd_log_t,s0)
@@ -23957,7 +24710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
  /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.8.8/policy/modules/services/snmp.te
 --- nsaserefpolicy/policy/modules/services/snmp.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/snmp.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/snmp.te	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,7 @@
  #
  # Local policy
@@ -23988,7 +24741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
  auth_read_all_dirs_except_shadow(snmpd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.8.8/policy/modules/services/snort.te
 --- nsaserefpolicy/policy/modules/services/snort.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/snort.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/snort.te	2010-07-30 14:06:53.000000000 -0400
 @@ -61,6 +61,7 @@
  kernel_read_proc_symlinks(snort_t)
  kernel_request_load_module(snort_t)
@@ -24007,7 +24760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
  dev_rw_generic_usb_dev(snort_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.8.8/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/spamassassin.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,15 +1,26 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -24039,7 +24792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.8.8/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/spamassassin.if	2010-07-30 14:06:53.000000000 -0400
 @@ -64,7 +64,7 @@
  ## </summary>
  ## <param name="domain">
@@ -24186,7 +24939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.8.8/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/spamassassin.te	2010-07-30 14:06:53.000000000 -0400
 @@ -19,6 +19,35 @@
  ## </desc>
  gen_tunable(spamd_enable_home_dirs, true)
@@ -24488,7 +25241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.8.8/policy/modules/services/squid.if
 --- nsaserefpolicy/policy/modules/services/squid.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/squid.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/squid.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -24509,7 +25262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.8.8/policy/modules/services/ssh.fc
 --- nsaserefpolicy/policy/modules/services/ssh.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ssh.fc	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ssh.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,9 @@
  HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +HOME_DIR/\.shosts			gen_context(system_u:object_r:ssh_home_t,s0)
@@ -24530,7 +25283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +/root/\.shosts				gen_context(system_u:object_r:home_ssh_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.8.8/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ssh.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ssh.if	2010-07-30 14:06:53.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -24712,7 +25465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.8.8/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ssh.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ssh.te	2010-07-30 14:06:53.000000000 -0400
 @@ -19,6 +19,13 @@
  ## </desc>
  gen_tunable(ssh_sysadm_login, false)
@@ -24954,7 +25707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.8.8/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sssd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sssd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -31,6 +31,7 @@
  allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
  allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
@@ -24982,7 +25735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  	dbus_connect_system_bus(sssd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.8.8/policy/modules/services/stunnel.te
 --- nsaserefpolicy/policy/modules/services/stunnel.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/stunnel.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/stunnel.te	2010-07-30 14:06:53.000000000 -0400
 @@ -46,8 +46,9 @@
  manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
  files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
@@ -24996,7 +25749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun
  kernel_read_system_state(stunnel_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.8.8/policy/modules/services/sysstat.te
 --- nsaserefpolicy/policy/modules/services/sysstat.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sysstat.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/sysstat.te	2010-07-30 14:06:53.000000000 -0400
 @@ -18,8 +18,7 @@
  # Local policy
  #
@@ -25018,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.8.8/policy/modules/services/tcpd.if
 --- nsaserefpolicy/policy/modules/services/tcpd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tcpd.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tcpd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -25030,7 +25783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.8.8/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/telnet.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/telnet.te	2010-07-30 14:06:53.000000000 -0400
 @@ -38,7 +38,6 @@
  
  manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
@@ -25050,7 +25803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
  	kerberos_keytab_template(telnetd, telnetd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.8.8/policy/modules/services/tftp.if
 --- nsaserefpolicy/policy/modules/services/tftp.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tftp.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tftp.if	2010-07-30 14:06:53.000000000 -0400
 @@ -16,6 +16,26 @@
  	')
  
@@ -25117,7 +25870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.8.8/policy/modules/services/tftp.te
 --- nsaserefpolicy/policy/modules/services/tftp.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tftp.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tftp.te	2010-07-30 14:06:53.000000000 -0400
 @@ -94,6 +94,10 @@
  ')
  
@@ -25131,7 +25884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.8.8/policy/modules/services/tgtd.te
 --- nsaserefpolicy/policy/modules/services/tgtd.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tgtd.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tgtd.te	2010-07-30 14:06:53.000000000 -0400
 @@ -59,8 +59,12 @@
  
  files_read_etc_files(tgtd_t)
@@ -25147,7 +25900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
 +iscsi_manage_semaphores(tgtd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.8.8/policy/modules/services/tor.te
 --- nsaserefpolicy/policy/modules/services/tor.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tor.te	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tor.te	2010-07-30 14:06:53.000000000 -0400
 @@ -67,9 +67,10 @@
  logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
  
@@ -25171,7 +25924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
  tunable_policy(`tor_bind_all_unreserved_ports', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.if serefpolicy-3.8.8/policy/modules/services/tuned.if
 --- nsaserefpolicy/policy/modules/services/tuned.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tuned.if	2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tuned.if	2010-07-30 14:06:53.000000000 -0400
 @@ -81,7 +81,7 @@
  ## </summary>
  ## <param name="domain">
@@ -25183,7 +25936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.8.8/policy/modules/services/tuned.te
 --- nsaserefpolicy/policy/modules/services/tuned.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/tuned.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/tuned.te	2010-07-30 14:06:53.000000000 -0400
 @@ -24,6 +24,7 @@
  #
  
@@ -25205,7 +25958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
  	sysnet_domtrans_ifconfig(tuned_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.8.8/policy/modules/services/ucspitcp.te
 --- nsaserefpolicy/policy/modules/services/ucspitcp.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ucspitcp.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ucspitcp.te	2010-07-30 14:06:53.000000000 -0400
 @@ -91,3 +91,8 @@
  	daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
  	daemontools_read_svc(ucspitcp_t)
@@ -25217,15 +25970,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc
 --- nsaserefpolicy/policy/modules/services/usbmuxd.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,3 +1,3 @@
  /usr/sbin/usbmuxd	--	gen_context(system_u:object_r:usbmuxd_exec_t,s0)
  
 -/var/run/usbmuxd	-s 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
 +/var/run/usbmuxd.*	 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.8.8/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te	2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/uucp.te	2010-08-04 13:17:33.000000000 -0400
+@@ -83,6 +83,7 @@
+ corenet_udp_sendrecv_generic_node(uucpd_t)
+ corenet_tcp_sendrecv_all_ports(uucpd_t)
+ corenet_udp_sendrecv_all_ports(uucpd_t)
++corenet_tcp_connect_ssh_port(uucpd_t)
+ 
+ dev_read_urand(uucpd_t)
+ 
+@@ -113,6 +114,10 @@
+ 	kerberos_use(uucpd_t)
+ ')
+ 
++optional_policy(`
++	ssh_exec(uucpd_t)
++')
++
+ ########################################
+ #
+ # UUX Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.8.8/policy/modules/services/varnishd.if
 --- nsaserefpolicy/policy/modules/services/varnishd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/varnishd.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/varnishd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -25272,19 +26047,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
  ##	Read varnish logs.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.8.8/policy/modules/services/varnishd.te
 --- nsaserefpolicy/policy/modules/services/varnishd.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/varnishd.te	2010-07-27 16:12:04.000000000 -0400
-@@ -50,7 +50,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/varnishd.te	2010-07-30 14:55:56.000000000 -0400
+@@ -50,7 +50,8 @@
  # varnishd local policy
  #
  
 -allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
 +allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
++dontaudit varnishd_t self:capability sys_tty_config;
  allow varnishd_t self:process signal;
  allow varnishd_t self:fifo_file rw_fifo_file_perms;
  allow varnishd_t self:tcp_socket create_stream_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if
 --- nsaserefpolicy/policy/modules/services/vhostmd.if	2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,7 @@
  ## </summary>
  ## <param name="domain">
@@ -25314,7 +26090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
  	vhostmd_initrc_domtrans($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.8/policy/modules/services/vhostmd.te
 --- nsaserefpolicy/policy/modules/services/vhostmd.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te	2010-08-10 07:10:27.000000000 -0400
 @@ -44,6 +44,8 @@
  
  corenet_tcp_connect_soundd_port(vhostmd_t)
@@ -25324,9 +26100,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
  files_read_etc_files(vhostmd_t)
  files_read_usr_files(vhostmd_t)
  
+@@ -66,6 +68,7 @@
+ 
+ optional_policy(`
+ 	virt_stream_connect(vhostmd_t)
++	virt_write_content(vhostmd_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -13,17 +13,18 @@
  /etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
@@ -25351,7 +26135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.8.8/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.if	2010-08-10 07:08:50.000000000 -0400
 @@ -21,6 +21,7 @@
  	type $1_t, virt_domain;
  	domain_type($1_t)
@@ -25417,7 +26201,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -308,6 +300,24 @@
+@@ -231,6 +223,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow domain to write virt image files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`virt_write_content',`
++	gen_require(`
++		type virt_content_t;
++	')
++
++	allow $1 virt_content_t:file write_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Read virt PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -308,6 +318,24 @@
  
  ########################################
  ## <summary>
@@ -25442,7 +26251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ##	Create, read, write, and delete
  ##	virt lib files.
  ## </summary>
-@@ -433,15 +443,15 @@
+@@ -433,15 +461,15 @@
  ##	</summary>
  ## </param>
  #
@@ -25463,7 +26272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -516,3 +526,51 @@
+@@ -516,3 +544,51 @@
  
  	virt_manage_log($1)
  ')
@@ -25517,7 +26326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.te	2010-08-10 05:23:35.000000000 -0400
 @@ -4,6 +4,7 @@
  #
  # Declarations
@@ -25542,7 +26351,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  type virt_etc_t;
  files_config_file(virt_etc_t)
  
-@@ -71,8 +72,12 @@
+@@ -65,20 +66,25 @@
+ # virt Image files
+ type virt_image_t; # customizable
+ virt_image(virt_image_t)
++files_mountpoint(virt_image_t)
+ 
+ # virt Image files
+ type virt_content_t; # customizable
  virt_image(virt_content_t)
  userdom_user_home_content(virt_content_t)
  
@@ -25555,7 +26371,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  type virt_var_run_t;
  files_pid_file(virt_var_run_t)
-@@ -89,6 +94,11 @@
+ 
+ type virt_var_lib_t;
+-files_type(virt_var_lib_t)
++files_mountpoint(virt_var_lib_t)
+ 
+ type virtd_t;
+ type virtd_exec_t;
+@@ -89,6 +95,11 @@
  type virtd_initrc_exec_t;
  init_script_file(virtd_initrc_exec_t)
  
@@ -25567,7 +26390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -104,15 +114,12 @@
+@@ -104,15 +115,12 @@
  
  allow svirt_t self:udp_socket create_socket_perms;
  
@@ -25584,7 +26407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
  
  list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -147,11 +154,15 @@
+@@ -147,11 +155,15 @@
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(svirt_t)
  	fs_manage_nfs_files(svirt_t)
@@ -25600,7 +26423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  tunable_policy(`virt_use_sysfs',`
-@@ -160,6 +171,7 @@
+@@ -160,6 +172,7 @@
  
  tunable_policy(`virt_use_usb',`
  	dev_rw_usbfs(svirt_t)
@@ -25608,7 +26431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  	fs_manage_dos_dirs(svirt_t)
  	fs_manage_dos_files(svirt_t)
  ')
-@@ -168,28 +180,39 @@
+@@ -168,28 +181,39 @@
  	xen_rw_image_files(svirt_t)
  ')
  
@@ -25651,7 +26474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  
-@@ -200,9 +223,15 @@
+@@ -200,9 +224,15 @@
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -25667,7 +26490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -220,6 +249,7 @@
+@@ -220,6 +250,7 @@
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
@@ -25675,7 +26498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  
-@@ -243,18 +273,25 @@
+@@ -243,18 +274,25 @@
  dev_rw_kvm(virtd_t)
  dev_getattr_all_chr_files(virtd_t)
  dev_rw_mtrr(virtd_t)
@@ -25702,7 +26525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +299,17 @@
+@@ -262,6 +300,17 @@
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -25720,7 +26543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  mcs_process_set_categories(virtd_t)
  
-@@ -286,15 +334,22 @@
+@@ -286,15 +335,22 @@
  
  logging_send_syslog_msg(virtd_t)
  
@@ -25743,7 +26566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +420,7 @@
+@@ -365,6 +421,7 @@
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -25751,7 +26574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  optional_policy(`
-@@ -402,6 +458,19 @@
+@@ -402,6 +459,19 @@
  allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
  allow virt_domain self:tcp_socket create_stream_socket_perms;
  
@@ -25771,7 +26594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +491,7 @@
+@@ -422,6 +492,7 @@
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -25779,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,6 +499,7 @@
+@@ -429,10 +500,12 @@
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -25787,7 +26610,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  domain_use_interactive_fds(virt_domain)
  
-@@ -440,6 +511,11 @@
+ files_read_etc_files(virt_domain)
++files_read_mnt_symlinks(virt_domain)
+ files_read_usr_files(virt_domain)
+ files_read_var_files(virt_domain)
+ files_search_all(virt_domain)
+@@ -440,6 +513,11 @@
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -25799,7 +26627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -457,8 +533,121 @@
+@@ -457,8 +535,121 @@
  ')
  
  optional_policy(`
@@ -25923,7 +26751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.8.8/policy/modules/services/w3c.te
 --- nsaserefpolicy/policy/modules/services/w3c.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/w3c.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/w3c.te	2010-07-30 14:06:53.000000000 -0400
 @@ -7,11 +7,18 @@
  
  apache_content_template(w3c_validator)
@@ -25951,7 +26779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
 +apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.8.8/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -2,13 +2,23 @@
  # HOME_DIR
  #
@@ -26075,7 +26903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.if	2010-07-30 14:06:53.000000000 -0400
 @@ -19,9 +19,10 @@
  interface(`xserver_restricted_role',`
  	gen_require(`
@@ -26688,7 +27516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te	2010-08-05 16:01:15.000000000 -0400
 @@ -35,6 +35,13 @@
  
  ## <desc>
@@ -27086,7 +27914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
 +manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
 +manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+logging_log_filetrans(xdm_t, xdm_log_t, file)
++logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
 +
  manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
  manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
@@ -27209,7 +28037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +643,11 @@
+@@ -473,6 +643,13 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -27218,10 +28046,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +userdom_manage_user_tmp_files(xdm_t)
 +userdom_manage_user_tmp_sockets(xdm_t)
 +userdom_manage_tmpfs_role(system_r, xdm_t)
++
++application_signal(xdm_t)
  
  xserver_rw_session(xdm_t, xdm_tmpfs_t)
  xserver_unconfined(xdm_t)
-@@ -504,11 +679,17 @@
+@@ -504,11 +681,17 @@
  ')
  
  optional_policy(`
@@ -27239,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -516,12 +697,51 @@
+@@ -516,12 +699,51 @@
  ')
  
  optional_policy(`
@@ -27291,7 +28121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	hostname_exec(xdm_t)
  ')
  
-@@ -539,20 +759,63 @@
+@@ -539,20 +761,63 @@
  ')
  
  optional_policy(`
@@ -27357,7 +28187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -561,7 +824,6 @@
+@@ -561,7 +826,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -27365,7 +28195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +834,10 @@
+@@ -572,6 +836,10 @@
  ')
  
  optional_policy(`
@@ -27376,7 +28206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -596,10 +862,9 @@
+@@ -596,10 +864,9 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -27388,7 +28218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
  allow xserver_t self:sock_file read_sock_file_perms;
-@@ -611,6 +876,18 @@
+@@ -611,6 +878,18 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -27407,7 +28237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -630,12 +907,19 @@
+@@ -630,12 +909,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -27429,7 +28259,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -669,7 +953,6 @@
+@@ -643,6 +929,7 @@
+ # Xorg wants to check if kernel is tainted
+ kernel_read_kernel_sysctls(xserver_t)
+ kernel_write_proc_files(xserver_t)
++kernel_request_load_module(xserver_t)
+ 
+ # Run helper programs in xserver_t.
+ corecmd_exec_bin(xserver_t)
+@@ -669,7 +956,6 @@
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -27437,7 +28275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -679,9 +962,12 @@
+@@ -679,9 +965,12 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -27451,7 +28289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -696,8 +982,13 @@
+@@ -696,8 +985,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -27465,7 +28303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -719,11 +1010,14 @@
+@@ -719,11 +1013,14 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -27480,7 +28318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,12 +1069,28 @@
+@@ -775,12 +1072,28 @@
  ')
  
  optional_policy(`
@@ -27510,7 +28348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -804,10 +1114,10 @@
+@@ -804,10 +1117,10 @@
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -27523,7 +28361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1138,13 @@
+@@ -828,6 +1141,13 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -27537,7 +28375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1160,14 @@
+@@ -843,11 +1163,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -27554,7 +28392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -993,3 +1313,33 @@
+@@ -993,3 +1316,33 @@
  allow xserver_unconfined_type xextension_type:x_extension *;
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -27590,7 +28428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.8.8/policy/modules/services/zabbix.te
 --- nsaserefpolicy/policy/modules/services/zabbix.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/zabbix.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zabbix.te	2010-07-30 14:06:53.000000000 -0400
 @@ -35,8 +35,9 @@
  logging_log_filetrans(zabbix_t, zabbix_log_t, file)
  
@@ -27604,7 +28442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.fc serefpolicy-3.8.8/policy/modules/services/zarafa.fc
 --- nsaserefpolicy/policy/modules/services/zarafa.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/zarafa.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zarafa.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,27 @@
 +
 +/etc/zarafa(/.*)?			gen_context(system_u:object_r:zarafa_etc_t,s0)
@@ -27635,7 +28473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
 +/var/run/zarafa-monitor\.pid    --      gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.if serefpolicy-3.8.8/policy/modules/services/zarafa.if
 --- nsaserefpolicy/policy/modules/services/zarafa.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/zarafa.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zarafa.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,105 @@
 +
 +## <summary>policy for zarafa services</summary>
@@ -27744,7 +28582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.te serefpolicy-3.8.8/policy/modules/services/zarafa.te
 --- nsaserefpolicy/policy/modules/services/zarafa.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/zarafa.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zarafa.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,133 @@
 +policy_module(zarafa, 1.0.0)
 +
@@ -27881,7 +28719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.8.8/policy/modules/services/zebra.te
 --- nsaserefpolicy/policy/modules/services/zebra.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/zebra.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/zebra.te	2010-07-30 14:06:53.000000000 -0400
 @@ -61,9 +61,10 @@
  allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
  files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
@@ -27894,9 +28732,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
  
  kernel_read_system_state(zebra_t)
  kernel_read_network_state(zebra_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.8.8/policy/modules/system/application.if
+--- nsaserefpolicy/policy/modules/system/application.if	2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/application.if	2010-08-03 14:32:57.000000000 -0400
+@@ -130,3 +130,21 @@
+ 
+ 	allow $1 application_domain_type:process signull;
+ ')
++
++########################################
++## <summary>
++##	Send signal to all application domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`application_signal',`
++	gen_require(`
++		attribute application_domain_type;
++	')
++
++	allow $1 application_domain_type:process signal;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.8.8/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/application.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/application.te	2010-07-30 14:06:53.000000000 -0400
 @@ -6,6 +6,22 @@
  # Executables to be run by user
  attribute application_exec_type;
@@ -27922,7 +28785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
  	ssh_rw_stream_sockets(application_domain_type)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.8.8/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -10,6 +10,7 @@
  /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
@@ -27933,7 +28796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ifdef(`distro_suse', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if	2010-08-10 11:41:52.000000000 -0400
 @@ -91,9 +91,12 @@
  interface(`auth_login_pgm_domain',`
  	gen_require(`
@@ -28057,7 +28920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.8.8/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.te	2010-07-30 14:06:53.000000000 -0400
 @@ -8,6 +8,7 @@
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
@@ -28089,7 +28952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.if serefpolicy-3.8.8/policy/modules/system/clock.if
 --- nsaserefpolicy/policy/modules/system/clock.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/clock.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/clock.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -28119,7 +28982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.8.8/policy/modules/system/daemontools.if
 --- nsaserefpolicy/policy/modules/system/daemontools.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/daemontools.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/daemontools.if	2010-07-30 14:06:53.000000000 -0400
 @@ -71,6 +71,32 @@
  	domtrans_pattern($1, svc_start_exec_t, svc_start_t)
  ')
@@ -28202,7 +29065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.8.8/policy/modules/system/daemontools.te
 --- nsaserefpolicy/policy/modules/system/daemontools.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/daemontools.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/daemontools.te	2010-07-30 14:06:53.000000000 -0400
 @@ -38,7 +38,10 @@
  # multilog creates /service/*/log/status
  manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
@@ -28277,7 +29140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
  daemontools_manage_svc(svc_start_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.8.8/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/fstools.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,3 @@
 -/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blkid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -28293,7 +29156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.8.8/policy/modules/system/fstools.if
 --- nsaserefpolicy/policy/modules/system/fstools.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/fstools.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -28350,7 +29213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/fstools.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/fstools.te	2010-07-30 14:06:53.000000000 -0400
 @@ -117,6 +117,8 @@
  fs_search_tmpfs(fsadm_t)
  fs_getattr_tmpfs_dirs(fsadm_t)
@@ -28386,7 +29249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.8.8/policy/modules/system/getty.te
 --- nsaserefpolicy/policy/modules/system/getty.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/getty.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/getty.te	2010-07-30 14:06:53.000000000 -0400
 @@ -83,7 +83,7 @@
  term_setattr_all_ttys(getty_t)
  term_setattr_unallocated_ttys(getty_t)
@@ -28398,7 +29261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.8.8/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hostname.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hostname.te	2010-07-30 14:06:53.000000000 -0400
 @@ -26,15 +26,18 @@
  
  dev_read_sysfs(hostname_t)
@@ -28431,7 +29294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.if serefpolicy-3.8.8/policy/modules/system/hotplug.if
 --- nsaserefpolicy/policy/modules/system/hotplug.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hotplug.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hotplug.if	2010-07-30 14:06:53.000000000 -0400
 @@ -139,7 +139,7 @@
  ## </summary>
  ## <param name="domain">
@@ -28443,7 +29306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
  ## <rolecap/>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te
 --- nsaserefpolicy/policy/modules/system/hotplug.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/hotplug.te	2010-07-30 14:06:53.000000000 -0400
 @@ -23,7 +23,7 @@
  #
  
@@ -28471,7 +29334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,13 @@
  #
  # /sbin
@@ -28498,7 +29361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
  # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.if	2010-07-30 14:06:53.000000000 -0400
 @@ -105,7 +105,11 @@
  
  	role system_r types $1;
@@ -28860,7 +29723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te	2010-08-10 05:23:35.000000000 -0400
 @@ -16,6 +16,27 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -28972,7 +29835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,65 @@
+@@ -185,15 +216,66 @@
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -28994,7 +29857,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +	dev_rw_autofs(init_t)
 +	dev_manage_generic_dirs(init_t)
 +	dev_read_generic_chr_files(init_t)
-+
++	dev_relabelfrom_generic_chr_files(init_t)
++	dev_relabelto_autofs_dev(init_t)
 +	files_mounton_all_mountpoints(init_t)
 +	files_manage_all_pids_dirs(init_t)
 +
@@ -29038,7 +29902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	nscd_socket_use(init_t)
  ')
  
-@@ -211,7 +292,7 @@
+@@ -211,7 +293,7 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29047,7 +29911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -240,6 +321,7 @@
+@@ -240,6 +322,7 @@
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29055,7 +29919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  can_exec(initrc_t, initrc_tmp_t)
  manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +339,22 @@
+@@ -257,11 +340,22 @@
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -29078,7 +29942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  corecmd_exec_all_executables(initrc_t)
  
-@@ -297,11 +390,13 @@
+@@ -297,11 +391,13 @@
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -29092,7 +29956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -320,8 +415,10 @@
+@@ -320,8 +416,10 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -29104,7 +29968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -337,6 +434,8 @@
+@@ -337,6 +435,8 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -29113,7 +29977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  fs_delete_cgroup_dirs(initrc_t)
  fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +449,8 @@
+@@ -350,6 +450,8 @@
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -29122,7 +29986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -362,6 +463,7 @@
+@@ -362,6 +464,7 @@
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -29130,7 +29994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -393,13 +495,14 @@
+@@ -393,13 +496,14 @@
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -29146,7 +30010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  userdom_read_user_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +575,7 @@
+@@ -472,7 +576,7 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -29155,7 +30019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -518,6 +621,19 @@
+@@ -518,6 +622,19 @@
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -29175,7 +30039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -525,10 +641,17 @@
+@@ -525,10 +642,17 @@
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -29193,7 +30057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -543,6 +666,35 @@
+@@ -543,6 +667,35 @@
  	')
  ')
  
@@ -29229,7 +30093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +707,8 @@
+@@ -555,6 +708,8 @@
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -29238,7 +30102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -571,6 +725,7 @@
+@@ -571,6 +726,7 @@
  
  optional_policy(`
  	cgroup_stream_connect(initrc_t)
@@ -29246,7 +30110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -583,6 +738,11 @@
+@@ -583,6 +739,11 @@
  ')
  
  optional_policy(`
@@ -29258,7 +30122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -599,6 +759,7 @@
+@@ -599,6 +760,7 @@
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29266,7 +30130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	optional_policy(`
  		consolekit_dbus_chat(initrc_t)
-@@ -700,7 +861,12 @@
+@@ -700,7 +862,12 @@
  ')
  
  optional_policy(`
@@ -29279,7 +30143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -723,6 +889,10 @@
+@@ -723,6 +890,10 @@
  ')
  
  optional_policy(`
@@ -29290,7 +30154,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -765,8 +935,6 @@
+@@ -744,6 +915,10 @@
+ ')
+ 
+ optional_policy(`
++	ricci_manage_lib_files(initrc_t)
++')
++
++optional_policy(`
+ 	fs_write_ramfs_sockets(initrc_t)
+ 	fs_search_ramfs(initrc_t)
+ 
+@@ -765,8 +940,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29299,7 +30174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -779,10 +947,12 @@
+@@ -779,10 +952,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -29312,7 +30187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +974,19 @@
+@@ -804,11 +979,19 @@
  ')
  
  optional_policy(`
@@ -29333,7 +30208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +996,25 @@
+@@ -818,6 +1001,25 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29359,7 +30234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -843,3 +1040,55 @@
+@@ -843,3 +1045,55 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29417,7 +30292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.8.8/policy/modules/system/ipsec.fc
 --- nsaserefpolicy/policy/modules/system/ipsec.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.fc	2010-08-03 13:29:20.000000000 -0400
 @@ -25,6 +25,7 @@
  /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -29426,9 +30301,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  /usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+@@ -35,6 +36,8 @@
+ /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
+ 
++/var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++
+ /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
+ 
+ /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.8/policy/modules/system/ipsec.if
 --- nsaserefpolicy/policy/modules/system/ipsec.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.if	2010-08-11 07:44:10.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -29532,7 +30416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  ##	</summary>
  ## </param>
  #
-@@ -273,3 +291,61 @@
+@@ -273,3 +291,81 @@
  	ipsec_domtrans_setkey($1)
  	role $2 types setkey_t;
  ')
@@ -29594,9 +30478,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 +	allow $1 ipsec_mgmt_t:process sigkill;
 +')
 +
++######################################
++## <summary>
++##      Send and receive messages from
++##      ipsec-mgmt over dbus.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`ipsec_mgmt_dbus_chat',`
++        gen_require(`
++                type ipsec_mgmt_t;
++                class dbus send_msg;
++        ')
++
++        allow $1 ipsec_mgmt_t:dbus send_msg;
++        allow ipsec_mgmt_t $1:dbus send_msg;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.te	2010-08-10 11:57:19.000000000 -0400
 @@ -72,7 +72,7 @@
  #
  
@@ -29618,7 +30522,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  can_exec(ipsec_t, ipsec_mgmt_exec_t)
  
-@@ -166,6 +167,8 @@
+@@ -107,7 +108,7 @@
+ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+ allow ipsec_mgmt_t ipsec_t:fd use;
+ allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+-dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
++allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+ allow ipsec_mgmt_t ipsec_t:process sigchld;
+ 
+ kernel_read_kernel_sysctls(ipsec_t)
+@@ -149,6 +150,7 @@
+ files_list_tmp(ipsec_t)
+ files_read_etc_files(ipsec_t)
+ files_read_usr_files(ipsec_t)
++files_dontaudit_search_home(ipsec_t)
+ 
+ fs_getattr_all_fs(ipsec_t)
+ fs_search_auto_mountpoints(ipsec_t)
+@@ -166,6 +168,8 @@
  miscfiles_read_localization(ipsec_t)
  
  sysnet_domtrans_ifconfig(ipsec_t)
@@ -29627,7 +30548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
  userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -184,8 +187,8 @@
+@@ -184,8 +188,8 @@
  #
  
  allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@@ -29638,7 +30559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -224,7 +227,6 @@
+@@ -224,7 +228,6 @@
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
  manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -29646,7 +30567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  # whack needs to connect to pluto
  stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -243,6 +245,17 @@
+@@ -243,6 +246,17 @@
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -29664,7 +30585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -257,7 +270,7 @@
+@@ -257,7 +271,7 @@
  
  domain_use_interactive_fds(ipsec_mgmt_t)
  # denials when ps tries to search /proc. Do not audit these denials.
@@ -29673,7 +30594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  # suppress audit messages about unnecessary socket access
  # cjp: this seems excessive
  domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -275,8 +288,11 @@
+@@ -275,8 +289,11 @@
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -29686,7 +30607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  init_use_script_ptys(ipsec_mgmt_t)
  init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
-@@ -290,7 +306,9 @@
+@@ -290,7 +307,9 @@
  
  seutil_dontaudit_search_config(ipsec_mgmt_t)
  
@@ -29696,7 +30617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  userdom_use_user_terminals(ipsec_mgmt_t)
  
-@@ -299,6 +317,23 @@
+@@ -299,6 +318,23 @@
  ')
  
  optional_policy(`
@@ -29720,7 +30641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  	nscd_socket_use(ipsec_mgmt_t)
  ')
  
-@@ -385,6 +420,8 @@
+@@ -385,6 +421,8 @@
  
  sysnet_exec_ifconfig(racoon_t)
  
@@ -29729,7 +30650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -411,6 +448,7 @@
+@@ -411,6 +449,7 @@
  files_read_etc_files(setkey_t)
  
  init_dontaudit_use_fds(setkey_t)
@@ -29737,14 +30658,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
-@@ -422,3 +460,4 @@
+@@ -422,3 +461,4 @@
  seutil_read_config(setkey_t)
  
  userdom_use_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.8.8/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iptables.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iptables.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,12 +1,19 @@
  /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -29769,7 +30690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.8.8/policy/modules/system/iptables.if
 --- nsaserefpolicy/policy/modules/system/iptables.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iptables.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iptables.if	2010-08-05 15:53:11.000000000 -0400
 @@ -17,6 +17,10 @@
  
  	corecmd_search_bin($1)
@@ -29801,7 +30722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.8.8/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iptables.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iptables.te	2010-07-30 14:06:53.000000000 -0400
 @@ -13,9 +13,6 @@
  type iptables_initrc_exec_t;
  init_script_file(iptables_initrc_exec_t)
@@ -29888,7 +30809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.8.8/policy/modules/system/iscsi.if
 --- nsaserefpolicy/policy/modules/system/iscsi.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iscsi.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iscsi.if	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,7 @@
  ## </summary>
  ## <param name="domain">
@@ -29922,7 +30843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.8/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iscsi.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iscsi.te	2010-07-30 14:06:53.000000000 -0400
 @@ -76,6 +76,8 @@
  
  dev_rw_sysfs(iscsid_t)
@@ -29934,7 +30855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
  domain_dontaudit_read_all_domains_state(iscsid_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.8.8/policy/modules/system/kdump.if
 --- nsaserefpolicy/policy/modules/system/kdump.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/kdump.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/kdump.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -29955,18 +30876,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.8.8/policy/modules/system/kdump.te
 --- nsaserefpolicy/policy/modules/system/kdump.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/kdump.te	2010-07-27 16:12:04.000000000 -0400
-@@ -29,6 +29,7 @@
++++ serefpolicy-3.8.8/policy/modules/system/kdump.te	2010-08-04 13:52:39.000000000 -0400
+@@ -29,6 +29,8 @@
  
  kernel_read_system_state(kdump_t)
  kernel_read_core_if(kdump_t)
 +kernel_read_debugfs(kdump_t)
++kernel_request_load_module(kdump_t)
  
  dev_read_framebuffer(kdump_t)
  dev_read_sysfs(kdump_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/libraries.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/libraries.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -129,15 +129,13 @@
  /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30180,7 +31102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.8.8/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/libraries.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/libraries.te	2010-07-30 14:06:53.000000000 -0400
 @@ -61,7 +61,7 @@
  
  manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
@@ -30219,14 +31141,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  		# leaked fds from portage
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.8.8/policy/modules/system/locallogin.fc
 --- nsaserefpolicy/policy/modules/system/locallogin.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,2 +1,3 @@
  
  /sbin/sulogin		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
 +/sbin/sushell		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-3.8.8/policy/modules/system/locallogin.if
 --- nsaserefpolicy/policy/modules/system/locallogin.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/locallogin.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/locallogin.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -30247,7 +31169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.8.8/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/locallogin.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/locallogin.te	2010-07-30 14:06:53.000000000 -0400
 @@ -32,9 +32,8 @@
  # Local login local policy
  #
@@ -30359,7 +31281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.8.8/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -17,6 +17,10 @@
  /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
  /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -30400,7 +31322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.8.8/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.if	2010-07-30 14:06:53.000000000 -0400
 @@ -545,6 +545,25 @@
  
  ########################################
@@ -30474,7 +31396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  	domain_system_change_exemption($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/logging.te	2010-07-30 14:06:53.000000000 -0400
 @@ -60,6 +60,7 @@
  type syslogd_t;
  type syslogd_exec_t;
@@ -30582,7 +31504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.8.8/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/lvm.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/lvm.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -28,10 +28,12 @@
  #
  /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -30598,7 +31520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
  /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.8.8/policy/modules/system/lvm.if
 --- nsaserefpolicy/policy/modules/system/lvm.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/lvm.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/lvm.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -30637,7 +31559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
  ## <rolecap/>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.8.8/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/lvm.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/lvm.te	2010-07-30 14:06:53.000000000 -0400
 @@ -141,6 +141,11 @@
  ')
  
@@ -30724,7 +31646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.8.8/policy/modules/system/miscfiles.fc
 --- nsaserefpolicy/policy/modules/system/miscfiles.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -75,13 +75,11 @@
  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
  /var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
@@ -30743,7 +31665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
  /var/lib/msttcorefonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.8.8/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if	2010-07-30 14:06:53.000000000 -0400
 @@ -305,9 +305,6 @@
  	allow $1 locale_t:dir list_dir_perms;
  	read_files_pattern($1, locale_t, locale_t)
@@ -30756,7 +31678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.8/policy/modules/system/modutils.if
 --- nsaserefpolicy/policy/modules/system/modutils.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/modutils.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/modutils.if	2010-07-30 14:06:53.000000000 -0400
 @@ -39,6 +39,26 @@
  
  ########################################
@@ -30786,7 +31708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.8/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/modutils.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/modutils.te	2010-07-30 14:06:53.000000000 -0400
 @@ -18,6 +18,7 @@
  type insmod_exec_t;
  application_domain(insmod_t, insmod_exec_t)
@@ -30882,7 +31804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.8.8/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,10 @@
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -30897,7 +31819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.8.8/policy/modules/system/mount.if
 --- nsaserefpolicy/policy/modules/system/mount.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -31130,7 +32052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.te	2010-07-30 14:06:53.000000000 -0400
 @@ -17,8 +17,15 @@
  init_system_domain(mount_t, mount_exec_t)
  role system_r types mount_t;
@@ -31232,7 +32154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  files_mount_all_file_type_fs(mount_t)
  files_unmount_all_file_type_fs(mount_t)
  # for when /etc/mtab loses its type
-@@ -79,15 +122,19 @@
+@@ -79,15 +122,20 @@
  files_read_usr_files(mount_t)
  files_list_mnt(mount_t)
  
@@ -31247,6 +32169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 -fs_list_auto_mountpoints(mount_t)
 +fs_rw_anon_inodefs_files(mount_t)
  fs_rw_tmpfs_chr_files(mount_t)
++fs_rw_nfsd_fs(mount_t)
 +fs_manage_tmpfs_dirs(mount_t)
  fs_read_tmpfs_symlinks(mount_t)
 +fs_read_fusefs_files(mount_t)
@@ -31255,7 +32178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  mls_file_read_all_levels(mount_t)
  mls_file_write_all_levels(mount_t)
-@@ -98,6 +145,7 @@
+@@ -98,6 +146,7 @@
  storage_raw_write_fixed_disk(mount_t)
  storage_raw_read_removable_device(mount_t)
  storage_raw_write_removable_device(mount_t)
@@ -31263,7 +32186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  term_use_all_terms(mount_t)
  
-@@ -106,6 +154,8 @@
+@@ -106,6 +155,8 @@
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -31272,7 +32195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  logging_send_syslog_msg(mount_t)
  
-@@ -116,6 +166,12 @@
+@@ -116,6 +167,12 @@
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
@@ -31285,7 +32208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -131,10 +187,17 @@
+@@ -131,10 +188,17 @@
  	')
  ')
  
@@ -31303,7 +32226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -164,6 +227,8 @@
+@@ -164,6 +228,8 @@
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -31312,7 +32235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -171,6 +236,25 @@
+@@ -171,6 +237,25 @@
  ')
  
  optional_policy(`
@@ -31338,7 +32261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +262,11 @@
+@@ -178,6 +263,11 @@
  	')
  ')
  
@@ -31350,7 +32273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -185,6 +274,19 @@
+@@ -185,6 +275,19 @@
  
  optional_policy(`
  	samba_domtrans_smbmount(mount_t)
@@ -31370,7 +32293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  ########################################
-@@ -193,6 +295,42 @@
+@@ -193,6 +296,42 @@
  #
  
  optional_policy(`
@@ -31416,7 +32339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +userdom_use_user_terminals(showmount_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.if serefpolicy-3.8.8/policy/modules/system/pcmcia.if
 --- nsaserefpolicy/policy/modules/system/pcmcia.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/pcmcia.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/pcmcia.if	2010-07-30 14:06:53.000000000 -0400
 @@ -22,7 +22,7 @@
  ## </summary>
  ## <param name="domain">
@@ -31446,7 +32369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia
  ## <param name="role">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.if serefpolicy-3.8.8/policy/modules/system/raid.if
 --- nsaserefpolicy/policy/modules/system/raid.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/raid.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/raid.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -31467,7 +32390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.i
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.8/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/raid.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/raid.te	2010-07-30 14:06:53.000000000 -0400
 @@ -30,8 +30,9 @@
  allow mdadm_t mdadm_map_t:file manage_file_perms;
  dev_filetrans(mdadm_t, mdadm_map_t, file)
@@ -31489,7 +32412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
  fs_dontaudit_list_tmpfs(mdadm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -6,13 +6,13 @@
  /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
@@ -31531,7 +32454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.8.8/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if	2010-07-30 14:06:53.000000000 -0400
 @@ -361,6 +361,27 @@
  
  ########################################
@@ -31910,7 +32833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te	2010-07-30 14:06:53.000000000 -0400
 @@ -22,6 +22,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -32296,7 +33219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.8.8/policy/modules/system/setrans.if
 --- nsaserefpolicy/policy/modules/system/setrans.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/setrans.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/setrans.if	2010-07-30 14:06:53.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -32308,7 +33231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.8.8/policy/modules/system/setrans.te
 --- nsaserefpolicy/policy/modules/system/setrans.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/setrans.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/setrans.te	2010-07-30 14:06:53.000000000 -0400
 @@ -12,6 +12,7 @@
  type setrans_t;
  type setrans_exec_t;
@@ -32331,13 +33254,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
  kernel_read_proc_symlinks(setrans_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.8.8/policy/modules/system/sosreport.fc
 --- nsaserefpolicy/policy/modules/system/sosreport.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/sosreport.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sosreport.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/sbin/sosreport	--	gen_context(system_u:object_r:sosreport_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.8.8/policy/modules/system/sosreport.if
 --- nsaserefpolicy/policy/modules/system/sosreport.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/sosreport.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sosreport.if	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,131 @@
 +
 +## <summary>policy for sosreport</summary>
@@ -32472,7 +33395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.8.8/policy/modules/system/sosreport.te
 --- nsaserefpolicy/policy/modules/system/sosreport.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/sosreport.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sosreport.te	2010-07-30 14:06:53.000000000 -0400
 @@ -0,0 +1,154 @@
 +policy_module(sosreport,1.0.0)
 +
@@ -32630,7 +33553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc
 --- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -64,3 +64,5 @@
  ifdef(`distro_gentoo',`
  /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -32639,7 +33562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.8.8/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if	2010-08-10 05:23:35.000000000 -0400
 @@ -6,7 +6,7 @@
  ## </summary>
  ## <param name="domain">
@@ -32838,7 +33761,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ##	</summary>
  ## </param>
  #
-@@ -453,7 +524,7 @@
+@@ -444,6 +515,7 @@
+ 		type dhcpc_var_run_t;
+ 	')
+ 
++	files_rw_pid_dirs($1)
+ 	allow $1 dhcpc_var_run_t:file unlink;
+ ')
+ 
+@@ -453,7 +525,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -32847,7 +33778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ##	</summary>
  ## </param>
  #
-@@ -464,6 +535,10 @@
+@@ -464,6 +536,10 @@
  
  	corecmd_search_bin($1)
  	domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -32858,7 +33789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  ########################################
-@@ -474,7 +549,7 @@
+@@ -474,7 +550,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -32867,7 +33798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ##	</summary>
  ## </param>
  ## <param name="role">
-@@ -534,6 +609,25 @@
+@@ -534,6 +610,25 @@
  
  ########################################
  ## <summary>
@@ -32893,7 +33824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -677,7 +771,10 @@
+@@ -677,7 +772,10 @@
  	corenet_tcp_connect_ldap_port($1)
  	corenet_sendrecv_ldap_client_packets($1)
  
@@ -32905,7 +33836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  ########################################
-@@ -709,5 +806,52 @@
+@@ -709,5 +807,52 @@
  	corenet_tcp_connect_portmap_port($1)
  	corenet_sendrecv_portmap_client_packets($1)
  
@@ -32961,7 +33892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te	2010-07-30 14:45:35.000000000 -0400
 @@ -5,6 +5,13 @@
  # Declarations
  #
@@ -33085,7 +34016,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  userdom_use_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
-@@ -327,6 +364,8 @@
+@@ -314,6 +351,10 @@
+ 	')
+ ')
+ 
++optional_policy(`
++	brctl_domtrans(ifconfig_t)
++')
++
+ ifdef(`hide_broken_symptoms',`
+ 	optional_policy(`
+ 		dev_dontaudit_rw_cardmgr(ifconfig_t)
+@@ -327,6 +368,8 @@
  optional_policy(`
  	hal_dontaudit_rw_pipes(ifconfig_t)
  	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -33094,7 +34036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -334,6 +373,10 @@
+@@ -334,6 +377,10 @@
  ')
  
  optional_policy(`
@@ -33105,7 +34047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	nis_use_ypbind(ifconfig_t)
  ')
  
-@@ -355,3 +398,9 @@
+@@ -355,3 +402,9 @@
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -33117,7 +34059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.8.8/policy/modules/system/udev.fc
 --- nsaserefpolicy/policy/modules/system/udev.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/udev.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/udev.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -22,3 +22,4 @@
  /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
  
@@ -33125,7 +34067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f
 +/var/run/libgpod(/.*)?	        gen_context(system_u:object_r:udev_var_run_t,s0)    
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.8.8/policy/modules/system/udev.if
 --- nsaserefpolicy/policy/modules/system/udev.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/udev.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/udev.if	2010-07-30 14:06:53.000000000 -0400
 @@ -24,7 +24,7 @@
  ## </summary>
  ## <param name="domain">
@@ -33163,7 +34105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.8/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/udev.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/udev.te	2010-07-30 14:06:53.000000000 -0400
 @@ -52,6 +52,7 @@
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -33230,7 +34172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.8.8/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/unconfined.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/unconfined.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,15 +1 @@
  # Add programs here which should not be confined by SELinux
 -# e.g.:
@@ -33249,7 +34191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.8.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/unconfined.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/unconfined.if	2010-07-30 14:06:53.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -33296,7 +34238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	ubac_process_exempt($1)
 +
 +	tunable_policy(`mmap_low_allowed',`
-+		domain_mmap_low($1)
++		allow $1 self:memprotect mmap_zero;
 +	')
 +
  	tunable_policy(`allow_execheap',`
@@ -33746,7 +34688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.8.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/unconfined.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/unconfined.te	2010-07-30 14:06:53.000000000 -0400
 @@ -4,227 +4,5 @@
  #
  # Declarations
@@ -33978,7 +34920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.8.8/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,4 +1,14 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -33997,7 +34939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-07-30 14:06:53.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -35565,7 +36507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3128,3 +3466,779 @@
+@@ -3128,3 +3466,854 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -36345,9 +37287,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	dontaudit $1 user_tmp_t:dir search_dir_perms;
 +')
++
++########################################
++## <summary>
++##	Execute a file in a user home directory
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a file in a user home directory
++##	in the specified domain.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`userdom_domtrans_user_home',`
++	gen_require(`
++		type user_home_t;
++	')
++
++	read_lnk_files_pattern($1, user_home_t, user_home_t)
++	domain_transition_pattern($1, user_home_t, $2)
++	type_transition $1 user_home_t:process $2;
++')
++
++########################################
++## <summary>
++##	Execute a file in a user tmp directory
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a file in a user tmp directory
++##	in the specified domain.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`userdom_domtrans_user_tmp',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	files_search_tmp($1)
++	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++	domain_transition_pattern($1, user_tmp_t, $2)
++	type_transition $1 user_tmp_t:process $2;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.8.8/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.te	2010-07-30 14:06:53.000000000 -0400
 @@ -43,6 +43,13 @@
  
  ## <desc>
@@ -36428,7 +37445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +dontaudit unpriv_userdomain self:dir setattr;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.8.8/policy/modules/system/xen.fc
 --- nsaserefpolicy/policy/modules/system/xen.fc	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/xen.fc	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/xen.fc	2010-07-30 14:06:53.000000000 -0400
 @@ -1,7 +1,5 @@
  /dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
  
@@ -36439,7 +37456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc
  ifdef(`distro_debian',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.8.8/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/xen.if	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/xen.if	2010-07-30 14:06:53.000000000 -0400
 @@ -87,6 +87,26 @@
  ## 	</summary>
  ## </param>
@@ -36480,7 +37497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.8/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/xen.te	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/xen.te	2010-07-30 14:06:53.000000000 -0400
 @@ -4,6 +4,7 @@
  #
  # Declarations
@@ -36638,7 +37655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  	files_search_mnt(xend_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.8.8/policy/support/misc_patterns.spt
 --- nsaserefpolicy/policy/support/misc_patterns.spt	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.8/policy/support/misc_patterns.spt	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/support/misc_patterns.spt	2010-07-30 14:06:53.000000000 -0400
 @@ -15,7 +15,7 @@
  	domain_transition_pattern($1,$2,$3)
  
@@ -36664,7 +37681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.8.8/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/support/obj_perm_sets.spt	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/support/obj_perm_sets.spt	2010-07-30 14:06:53.000000000 -0400
 @@ -28,7 +28,7 @@
  #
  # All socket classes.
@@ -36776,7 +37793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
 +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8.8/policy/users
 --- nsaserefpolicy/policy/users	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.8.8/policy/users	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/users	2010-07-30 14:06:53.000000000 -0400
 @@ -15,7 +15,7 @@
  # and a user process should never be assigned the system user
  # identity.
@@ -36812,7 +37829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.8.8/support/Makefile.devel
 --- nsaserefpolicy/support/Makefile.devel	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/support/Makefile.devel	2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/support/Makefile.devel	2010-07-30 14:06:53.000000000 -0400
 @@ -68,8 +68,8 @@
  
  # default MLS/MCS sensitivity and category settings.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 92f9e0a..f45af40 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.8
-Release: 8%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -331,7 +331,7 @@ if [ $1 -eq 1 ]; then
    %loadpolicy targeted $packages
    restorecon -R /root /var/log /var/run /var/lib 2> /dev/null
 else
-   semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
+   semodule -n -s targeted -r pyzor -r razor -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
    %loadpolicy targeted $packages
    %relabel targeted
 fi
@@ -450,7 +450,7 @@ SELinux Reference policy mls base module.
 %saveFileContext mls
 
 %post mls 
-semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
+semodule -n -s mls -r pyzor -r razor -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
 packages=`cat /usr/share/selinux/mls/modules.lst`
 %loadpolicy mls $packages
 
@@ -469,6 +469,23 @@ exit 0
 %endif
 
 %changelog
+* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
+- Fix devicekit_power bug
+- Allow policykit_auth_t more access.
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-11
+- Fix nis calls to allow bind to ports 512-1024
+- Fix smartmon
+
+* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-10
+- Allow pcscd to read sysfs
+- systemd fixes 
+- Fix wine_mmap_zero_ignore boolean
+
+* Tue Aug 3 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-9
+- Apply Miroslav munin patch
+- Turn back on allow_execmem and allow_execmod booleans
+
 * Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-8
 - Merge in fixes from dgrift repository